It's Microsoft Patch Tuesday: February 2011

Justin James gathers the information you need to make the right decision on applying Microsoft's February 2011 patches in your organization.

As they say, "the hand that gives, also takes away." In this case, the Microsoft that had a lightweight January Patch Tuesday is slamming us with a monster February Patch Tuesday. There are also a few patches for Service Pack 1 for W7/2008R2, which is not yet released in final form. An awful lot of these were publicly disclosed, so there could well be attacks already out there for them. Luckily, many of the vulnerabilities require the attacker to be logged on locally, which reduces their risk quite a bit.

This blog post is also available in PDF format in a TechRepublic download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS11-003/KB2482017 - Critical (XP, Vista, 7)/Moderate (2003, 2008, 2008R2): This is a fix for four Internet Explorer vulnerabilities (two of which were publicly disclosed) that allow attackers to run remote code execution attacks via malformed Web pages or pages that load external libraries (why are Web pages allowed to load external libraries?). The attacker gets the rights of the logged-in user. Microsoft thinks this is "moderate" for servers, but you should install this on all machines immediately. Remember, even if you surf the Web with a non-IE browser, lots of things embed the IE browser as a control! 2.8MB - 48.4MB MS11-004/KB2489256 - Important (Vista, 7, 2008, 2008R2): It's rare to see patches needed for IIS, but this is one of them. It resolves a publicly disclosed issue with the FTP service in IIS that can allow remote code execution attacks to be performed via FTP commands. You don't need this patch unless you have an FTP server up and running. 156KB - 359KB MS11-005/KB2478953 - Important (2003): An issue with Active Directory can cause denial-of-service attacks against 2003 servers. Of course, your AD servers should not be accessible to the general public, so this patch can wait until your normal patch cycle. 1.4MB - 6.8MB MS11-006/KB2483185 - Critical (XP, Vista, 2003, 2008): Thumbnail images can cause remote code execution errors on pre-Windows 7/2008R2 systems. To make it worse, this vulnerability has already been disclosed. You'll want to install this fix ASAP. 3.1MB - 15.1MB MS11-007/KB2485376 - Critical (Vista, 7, 2008, 2008R2)/Important (XP, 2003): Problems with the font handling for OpenType fonts can cause remote code execution attacks. Apparently, this can be done through a Web page that forces the font to load, so you will want to install the patch as soon as you can. 260KB - 1.3MB MS11-008/KB2451879 - Important (Visio 2002, Visio 2003, Visio 2007): Malformed Visio files can be used to perform remote code execution attacks. Visio is a fairly uncommon application, so this patch can wait until your next scheduled patch day. 10.4MB - 12.8MB MS11-009/KB2475792 - Important (W7, 2008 R2): The JavaScript and VBScript engines in W7 and 2008 R2 can cause an information disclosure if the user visits a Web site designed to take advantage of a pair of vulnerabilities. This patch fixes it. You might consider a disclosure of information more serious than Microsoft does, and if you do (and I think you should), you will want to patch this as soon as you can. 547KB - 1.4MB *** MS11-010/KB2476687 - Important (XP, 2003): An attacker who is logged on locally and runs a specially made application can take advantage of an escalation of privileges exploit. That's a fairly small set of circumstances, so the patch to fix it can wait until your usual patch time. 508KB - 1.0MB MS11-011/KB2393802 - Important (XP, Vista, W7, 2003, 2008, 2008R2): This is another escalation of privileges vulnerability that requires the attacker to be logged on locally. Again, there is no need to patch this immediately. 2.5MB - 9.3MB MS11-012/KB2479628 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): The patch handles a whopping five vulnerabilities. Like the two before it, these issues can allow a locally logged on user to run an application and get more rights than they currently have. This patch is not something you need to rush to install. 1.1MB - 5.6MB MS11-013/KB2496930 - Important (XP, 7, 2003, 2008 R2): This patch deals with a pair of vulnerabilities, one that can be used to spoof and the other than can be used to perform escalation of privileges attacks. For the latter, the attacker needs to install a service on a machine that's a domain member. This can wait until your usual patch time. 305KB - 1.7MBKB MS11-014/KB2478960 - Important (XP, 2003): This is our last patch for February, and it's yet another escalation of privileges problem that can be exploited by running an application locally. Patch on schedule. 830KB - 2.6MB

Other updates

KB2117917 - This is a "platform update supplement" for Vista and 2008. I don't think I've ever heard them call a "patch" that before. It isn't quite a "hotfix," and it isn't big enough to be a "service pack" but what it does is add a few features to those two OSs, including one that's needed if you want HTML5's "video" tag to work in Chrome and Firefox with H.264 video (the most common kind around). 6.1MB - 13.2MB KB2454826 - Reliability update for 2008 R2 - nothing special here. 10.1MB KB2487426 - This patch fixes issues with x86 applications after installing SP1 on W7 or 2008R2. 128KB - 153KB KB2502285 - WP7 SP1 has been causing some computers to crash with the error 0x0000007F, this patch resolves the issue. 529KB

"The Usual Suspects": Updates to the Malicious Software Removal Tool (12.3MB - 12.8MB) and the Junk Email Filter (2.2MB).

Changed, but not significantly:

Updates since the last Patch Tuesday

There were no security updates released out-of-band.

Minor items added or updated since the last Patch Tuesday:

KB2463332 - Windows Internal Database SP4 41MB - 44MB KB981089 - Windows Home Server Update, which resolves a number of issues, all minor. 22MB

Changed, but not significantly:

  • None