February 2011 Security Bulletin Release

Hello all —

Today, as part of our monthly security
bulletin release, we have 12 bulletins addressing 22 vulnerabilities in
Microsoft Windows, Office, Internet Explorer, and IIS (Internet Information
Services). Three bulletins are rated Critical, and these are the bulletins we
recommend for priority deployment:  

MS11-003. This bulletin resolves three
critical-level and moderate-level vulnerabilities affecting all versions of
Internet Explorer. Due to existing mitigations, this bulletin is only rated at
Moderate severity for all versions of Windows Server, has an Exploitability
Index rating of 1, and will deprecate Security
Advisory 2488013

MS11-006. This bulletin addresses one Critical-level
vulnerability affecting Windows XP, Vista, Server 2003, and Server 2008. Newer
versions of our operating system are unaffected. The vulnerability involves
Windows Shell Graphics and could if exploited lead to remote code execution.
This has an Exploitability Index rating of 1 and will deprecate Security
Advisory 2490606
which we released on January 4th. Since that
time, we have not seen any attacks against this issue.

MS11-007. This bulletin addresses one privately
reported vulnerability affecting all supported versions of Windows and
involving the OpenType Compact Font Driver. It’s rated Critical for Windows
Vista, Windows 7, Server 2008 and Server 2008 R2; it’s rated Important for
Windows XP and Server 2003.  This issue has
an Exploitability Index rating of 2.

In this video, Jerry Bryant discusses this
month’s bulletins in further detail:

As always, we recommend that customers
deploy all security updates as soon as possible. Below is our deployment
priority guidance to further assist customers in their deployment planning
(click for larger view).

Our risk and impact graph shows an aggregate
view of this month’s severity and exploitability index (click for larger view).

More information about this month’s
security updates can be found on the Microsoft Security Bulletin summary web page

As mentioned, we are addressing Security Advisory 2488013 as part of the regularly scheduled
Internet Explorer cumulative update. This Security Advisory and the zero-day
disclosure on which it was predicated caused discussion in the security
community, and some observers thought that we might be forced to release an
out-of-band bulletin to protect customers. However, out-of-band releases are
disruptive to customers and we try to avoid them where possible. Based on our
capabilities to closely monitor the threat landscape, we were able to determine
that attempts to attack this vulnerability were very low. With that
information, we were able to extensively test a bulletin to be released as part
of our regular bulletin cadence. The MMPC (Microsoft Malware Protection Center)
blog has
about the telemetry we used to guide us. There we
contrast this issue with telemetry from an out-of-band release last year to
demonstrate why one was not needed here.

Also this month, we’re updating Security Advisory 967940, “Update for Windows Autorun,” to change
how earlier versions of Windows handle security when reading “non-shiny”
storage media. (“Shiny” storage media would include CD-ROMs and DVDs.) Windows
7 already disables Autorun for devices such as USB thumb drives, which prevents
malware lurking on such drives from loading itself onto computers without user
interaction. With the change to the Advisory, earlier versions of Windows that
receive their updates automatically via Windows Update “AutoUpdate” will now
gain that security-conscious functionality as well. We believe this is a huge
step towards combating one of the most prevalent infection vectors used by
malware such as Conficker.

Finally, we’re excited to announce that
changes are coming to the system we use for publishing our bulletins and
security advisories – changes that will bring better integration with the
wealth of other content on Technet and a richer experience for customers. We
are expecting the changes to go live in the June 2011 timeframe. The main
impact to customers will be a URL change from microsoft.com/technet/security to
technet.microsoft.com/security. We are planning to have both the old and new
sites available simultaneously for a period of time and will be providing more
details in March.

Please join the monthly technical webcast
with your hosts, Jerry Bryant and Jonathan Ness, to learn more about all the February
2011 security bulletins. The webcast is scheduled for Wednesday, February 9,
2011 at 11:00 a.m. PST (UTC -8). Registration is available here.

For all the latest information, you can
follow the MSRC team on Twitter at @MSFTSecResponse.


Angela Gunn
Trustworthy Computing.