Microsoft Issues 26 Bug Fixes for February


There will be no long lunches this week for systems administrators who oversee Microsoft software.

Microsoft (NASDAQ: MSFT) has issued a massive number of repairs for its monthly Patch Tuesday bug fix release. In total, the company released 13 separate security bulletins, five of them ranked "critical" on the company's four-tier severity rating scale. A bulletin can contain more than one security fix. All told, the 13 bulletins contain 26 fixes.

It's one of Microsoft's busiest patch days in recent history. Of the 26 individual bugs identified, a dozen of them are rated "critical," the most severe rating. In January, the company only had one bug patch to install.

The most patches Microsoft has issued in a single month came in October 2009, when the company fixed a total of 34 flaws with 13 patches.

In addition to the fixes, Microsoft also released a Security Advisory warning users and administrators of a security vulnerability in implementations of two Web standards – the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) security protocols.

Subsequently, the February patch release means a busy week or two of testing and validation for administrators, with some urgency tossed in for good measure.

"While everyone has been focused on the volume of updates today, it should be noted that there are 12 vulnerabilities with Microsoft's highest exploitability rating. This certainly raises the bar for customers to plan, test, and rollout these updates more quickly than usual," Sheldon Malm, senior director of security at the security firm Rapid7 said in an e-mailed statement.

All of the critically-rated vulnerabilities affect various versions of Windows.

Rapid7 and another security firm's expert fingered two of the patches as priority one repairs. The other fix is for problems with the System Message Block (SMB) protocol that Microsoft has struggled to plug in recent months.

"The SMB Server pathname overflow vulnerability tops my list this month," Joshua Talbot, security intelligence manager for Symantec Security Response, said in an e-mailed statement. "Server-side vulnerabilities aren’t too common anymore, but they’re a golden goose for attackers when they are discovered," Talbot added.

The experts' second high-priority pick is a fix for problems found in the TCP/IP protocol.

"The TCP/IP router advertisement vulnerability a biggie … It, too, is a server-side remote code execution issue and the scary thing is that this affects everyone running one of the effected systems," Talbot added.

Besides the SMB and TCP/IP stack fixes, Wolfgang Kandek, chief technology officer at security firm Qualys, has his eye on one patch that provides a cumulative security update to set more ActiveX killbits so that rogue programs can't run, another continuing problem that Microsoft has been gradually dealing with.

"Next [is] an update to the ActiveX Killbit settings, applicable to all platforms," Kandek said in an e-mailed statement.

One final note on Kandek's list is a patch for Microsoft's Hyper-V virtualization engine. While the patch is only rated "important" -- a step down in importance from critical -- the fact that it involves Microsoft's virtualization environment makes it unique on this month's list.

Additionally, Microsoft said last week that it would not have a patch ready on Tuesday that fixes the zero-day flaw in Internet Explorer (IE) disclosed last week at the Black Hat DC security conference in the Washington D.C. area.

That previously unknown bug could result in crackers getting access to users' files as long as the attackers know the files' locations.

The entire list of Microsoft's February Patch Tuesday fixes is available here.

Stuart J. Johnston is a contributing writer at, the news service of, the network for technology professionals.