Microsoft to fix 26 vulnerabilities on patch day
This Tuesday, the 9th of February, Microsoft plans to fix 26 security vulnerabilities in Office and in all supported Windows versions. There are 13 updates and bulletins describing the threats posed, five of which the company classes as critical. Microsoft's Security Response Team is already recommending administrators and users to treat bulletins 1 ,2, 3 and 6 as maximum priority and to test and install them as soon as they are made available.
The bugs fixed include the now 17 year old vulnerability in the Virtual DOS Machine, which, using various tricks, allows 16-bit programs to manipulate the kernel stack belonging to any process. This can be exploited by users with restricted privileges to execute code with system privileges.
There will not be a patch for the newly discovered vulnerability in Internet Explorer. Microsoft does not appear to be prioritising this problem, since it primarily affects pre-Vista Windows versions. From Vista onwards, Internet Explorer (7 and 8) runs in protected mode, which prevents exploitation of the vulnerability. A fix-it tool is available for earlier versions.
The denial-of-service (DoS) vulnerability in the Windows 7 and Windows Server 2008 R2 SMB clients, discovered in mid November, will also remain unpatched. This bug can only be exploited using manipulated SMB servers sending crafted packets to clients – a scenario which apparently occurs so infrequently that Microsoft has yet to see a single instance. The vulnerability when parsing file names with semicolon extensions in Internet Information Server 6.0 (IIS) will likewise remain unpatched.
Microsoft is also reminding users that support for various Windows versions expires this year. There will be no further updates for Windows 2000 after 13th July 2010 and Windows XP Service Pack 2 will also cease to be supported after this date. SP2 users are advised to update to SP3. Windows Vista RTM will be supported until 13th April 2010 only, Vista SP1 until 12th July 2011.
- Microsoft Security Bulletin Advance Notification for February 2010, security advisory from Microsoft.
- February 2010 Bulletin Release Advance Notification, a MSRC blog post.
- Microsoft confirms new vulnerability in Internet Explorer, a report from The H.
- Windows hole discovered after 17 years, a report from The H.