Microsoft published their worksheet for the risk assessment of the current advisories and the open 0-days on their SRD blog. The "css.css" IE vulnerability is ranked highest, then the current Windows Explorer "thumbnail", but it also lists the DoS vulnerability in the FTP service of IIS, cross_fuzz and WMI ActiveX. Good information for anybody involved in security, patching and mitigation.
Microsoft is working on some helpful guidelines for the risk assessment of the current advisories and the open 0-days. Their highest priority is the Internet Explorer "css.css" issue(KB2488013), which has a suggested work around of using EMET. The Windows Explorer "thumbnail" issue can be addressed by setting the permissions on the DLL in question, which is easy to do and has only a very limited usability impact (instead of displaying thumbnails of image files explorer will only show generic icons). It is also automated in the FixIt link in the advisory itself and can be easily script by IT admins – recommended. Microsoft continues to work on reproducing the "cross_fuzz" vulnerability, but believes that it would be difficult to use it in a real-world exploit.
January 2011’s Patch Tuesday will be low volume. Microsoft announced 2 Bulletins: MS11-001 and MS11-002, the first one rated important and only affecting Windows Vista, while the second one is rated critical and affecting all versions of Windows, including Windows 7 and 2008R2.
But there is also potential for further updates this month, as Microsoft has acknowledged 2 open 0-days. One was confirmed just yesterday on Jan 5th in Security Advisory 2490606 (a vulnerability in Windows Graphics Rendering Engine) and the other on Dec 22th in Security Advisory 2488013, a vulnerability affecting Internet Explorer. Both flaws are reportedly used in targeted attacks and users should look at the mitigation steps outlined in the advisories. KB2490606 has a Microsoft Fixit Button, that home users and small businesses can use to implement the mitigation instructions.
The security community is discussing 2 additional vulnerabilities in Internet Explorer and proof of concept code exists. We expect Microsoft to acknowledged them soon. The SANS ISC has an overview that list the open issues. We will keep this blog updated as new developments occur.