Establishing Digital Trust: Don't Sacrifice Security for Convenience
On Microsoft's "Patch Tuesday" event for February, the company released a dozen patches that take care of a total of 22 security vulnerabilities, six of them ranked as "critical" the top tier on Microsoft's four-tier severity ranking scale.
The patch drop likely means some long hours for security professionals and administrators.
Microsoft's (NASDAQ: MSFT) second patch release of the year isn't the largest that the company has fielded in recent months, but it contains fixes for two zero-day vulnerabilities that have been haunting Microsoft for the past few weeks.
One patch provides a fix for a critical Windows graphics rendering flaw that could enable an attacker to plant a booby-trapped thumbnail image, either on a site, or sent as a Word or PowerPoint file attachment in an email with the object of taking over the user's PC.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The fix is rated critical for Windows XP, Vista, and Windows Server 2008, the company said.
A second critical fix blocks a zero-day bug in Internet Explorer's (IE) support for "cascading style sheets" (CSS) that emerged early this year. In order to trigger an attack, all a user would need to do is view a poisoned Web page.
The fix for the CSS hole, and two others also rated critical, is delivered as part of a cumulative update to IE. In fact, the holes impact most versions of Windows and IE.
While acknowledging the need to keep up to date on patches, one security researcher was taken aback by the amount of effort that will be required to roll out the CSS patch because it requires all systems be rebooted after installation. His projection was somewhere in the range of 900 million PCs.
"As we know from experience, reboots of this magnitude have been known to upset services and applications, so its possible we will see similar problems to what we encountered in 2007 when a large Microsoft patch that required a reboot crippled applications, Skype in particular," Paul Henry, forensic and security analyst at researcher Lumension, said in an e-mail to InternetNews.com.
Microsoft also released a patch for another critical vulnerability on Tuesday -- this one affecting Windows Vista, Windows Server 2008 and 2008 Release 2 (R2), as well as Windows 7, the company said.
The problem lies in a driver for parsing what's called the OpenType Compact File Format (CFF), a font format that takes less space than other fonts. It was co-developed by Microsoft and Adobe. A user who views an infected Web page that hosts a doctored CFF font can be completely compromised.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.