Big news today: We have an industry first – HP/TippingPoint’s Zero Day Initiative (ZDI), a vulnerability broker, opens 22 new 0-day vulnerabilities in accordance with their recently changed disclosure policy. We will be watching to see how quickly the vendors, including CA, EMC, HP and IBM, will react. Also, Adobe and Mozilla both release new versions of their flagship products – Adobe Reader/Acrobat and Firefox, and Microsoft provides fixes in 12 security updates.
Microsoft’s February Patch Tuesday addresses vulnerabilities in Windows (all versions), Office (only Visio) and Internet Explorer and includes patches that address three major outstanding 0-day vulnerabilities: Internet Explorer "css.css", Windows "thumbnail" and the possible remote code execution on IIS through the FTP service. MS11-003 for Internet Explorer, MS11-006 for Windows "thumbnail" and MS11-004 for the IIS vulnerability are on the top of our lists of recommended patches. The Internet Explorer flaw has seen an increased number of attacks recently and its fix should be the highest priority. While MS11-004 is currently classified as a DOS vulnerability only, security researchers have been working on a way to get to remote code execution.
MS11-007 is the third critical vulnerability in this month’s lineup and addresses a flaw in the OpenType library. Since OpenType is not used in Internet Explorer, this important attack vector is closed off, forcing more complicated delivery schemes to be used – via zipped folders for example, similar to this attack on MS11-006. However, as 3rd party browsers can possibly be used in the exploitation of this flaw, we recommend including this patch in the high priority queue.
While three 0-days have been addressed, ZDI added yesterday an additional five 0-days four in Microsoft Excel and one in Powerpoint. These vulnerabilities were made public before the patches were actually available because the advisory had been in the vendor’s hand for longer than 180 days. Microsoft is not the only company affected: ZDI has one 0-day each for EMC, Novell, CA, SCO (good luck there), eight for IBM in Domino and Lotus Notes and even four 0-days for ZDI’s parent company HP (for example http://www.zerodayinitiative.com/advisories/ZDI-11-057)
In addition to all of these news we are expecting Adobe to ship a new version of Reader X and Mozilla to get us a new version of Firefox – both have automatic updaters built-in, which should accelerate the roll-out in most of the environments where these very recent software packages are already in use.
On an interesting note Microsoft decided to publish KB967940 in Windows Update to increase its likelihood of installation. KB967940 has been available as an optional download for over a year and backports the "autorun" behavior from Windows 7 to Windows XP and 2003. Microsoft expects a positive impact on worm containment as explained in detail on the MMPC blog