Hello all --

Today, as part of our monthly security bulletin release, we have 12 bulletins addressing 22 vulnerabilities in Microsoft Windows, Office, Internet Explorer, and IIS (Internet Information Services). Three bulletins are rated Critical, and these are the bulletins we recommend for priority deployment:  

o    MS11-003. This bulletin resolves three critical-level and moderate-level vulnerabilities affecting all versions of Internet Explorer. Due to existing mitigations, this bulletin is only rated at Moderate severity for all versions of Windows Server, has an Exploitability Index rating of 1, and will deprecate Security Advisory 2488013.

o    MS11-006. This bulletin addresses one Critical-level vulnerability affecting Windows XP, Vista, Server 2003, and Server 2008. Newer versions of our operating system are unaffected. The vulnerability involves Windows Shell Graphics and could if exploited lead to remote code execution. This has an Exploitability Index rating of 1 and will deprecate Security Advisory 2490606 which we released on January 4th. Since that time, we have not seen any attacks against this issue.

o    MS11-007. This bulletin addresses one privately reported vulnerability affecting all supported versions of Windows and involving the OpenType Compact Font Driver. It's rated Critical for Windows Vista, Windows 7, Server 2008 and Server 2008 R2; it's rated Important for Windows XP and Server 2003.  This issue has an Exploitability Index rating of 2.

In this video, Jerry Bryant discusses this month's bulletins in further detail:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page

As mentioned, we are addressing Security Advisory 2488013 as part of the regularly scheduled Internet Explorer cumulative update. This Security Advisory and the zero-day disclosure on which it was predicated caused discussion in the security community, and some observers thought that we might be forced to release an out-of-band bulletin to protect customers. However, out-of-band releases are disruptive to customers and we try to avoid them where possible. Based on our capabilities to closely monitor the threat landscape, we were able to determine that attempts to attack this vulnerability were very low. With that information, we were able to extensively test a bulletin to be released as part of our regular bulletin cadence. The MMPC (Microsoft Malware Protection Center) blog has details about the telemetry we used to guide us. There we contrast this issue with telemetry from an out-of-band release last year to demonstrate why one was not needed here.

Also this month, we're updating Security Advisory 967940, "Update for Windows Autorun," to change how earlier versions of Windows handle security when reading "non-shiny" storage media. ("Shiny" storage media would include CD-ROMs and DVDs.) Windows 7 already disables Autorun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction. With the change to the Advisory, earlier versions of Windows that receive their updates automatically via Windows Update "AutoUpdate" will now gain that security-conscious functionality as well. We believe this is a huge step towards combating one of the most prevalent infection vectors used by malware such as Conficker.

Finally, we're excited to announce that changes are coming to the system we use for publishing our bulletins and security advisories - changes that will bring better integration with the wealth of other content on Technet and a richer experience for customers. We are expecting the changes to go live in the June 2011 timeframe. The main impact to customers will be a URL change from microsoft.com/technet/security to technet.microsoft.com/security. We are planning to have both the old and new sites available simultaneously for a period of time and will be providing more details in March.

Please join the monthly technical webcast with your hosts, Jerry Bryant and Jonathan Ness, to learn more about all the February 2011 security bulletins. The webcast is scheduled for Wednesday, February 9, 2011 at 11:00 a.m. PST (UTC -8). Registration is available here.

For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Trustworthy Computing.