Should monthly patch release model get a restart?
Microsoft's February security bulletin targets 20-plus vulnerabilities, but some 'critical' patches are still missing, which seems to happen more often than not
As expected, Microsoft has released 12 security bulletins in its February security update, targeting more than 20 software vulnerabilities.
The patch contains three bulletins rated "critical," along with nine considered "important." Remote code execution (RCE) considerations are addressed in the three critical bulletins. For the important items, there are two RCE risks and five items with elevation-of-privilege implications. In the remainder of the slate, Microsoft addresses denial-of-service and information-disclosure issues.
The first critical bulletin comes highly anticipated as it's for Internet Explorer, affecting IE 6, 7 and 8 on all supported Windows operating systems.
"We finally got our patch for Internet Explorer today in the midst of Microsoft's 12 bulletins; three of which were critical and nine important," said Paul Henry, security analyst at Lumension. "Nine hundred million people are now sharing the love for Microsoft after last month, when we waited for the IE patch that never came."
According to Microsoft's bulletin notes about the IE flaw, an attack can be executed when a specially crafted Web page "opens a legitimate HTML file that loads a specially crafted library file."
The second critical item, addresses the publicly disclosed vulnerability in the Windows Shell graphics processor, a leftover issue from earlier this year that is finally being patched. The patch touches every supported operating system except for Windows 7 and Window Server 2008.
The final critical bulletin on tap affects every supported Windows OS version and involves vulnerability in the Windows OpenType Compact Font Format driver.
The first important fix affects Vista, Windows Server 2008 and Windows 7 operating systems and patches Internet Information Services.
Important item No. 2 only touches Windows Server 2003, resolving a publicly disclosed vulnerability in Windows Active Directory.
Important bulletin No. 3 provides an update for Microsoft Office, the Visual Studio development environment and Visio applications (versions 2002, 2003 and 2007).
The fourth important item addresses Windows 7 and Windows Server 2008 operating systems. Microsoft is providing a patch for vulnerabilities in the JScript and VBScript scripting engines. The patch protects against specially crafted Web pages that could muck up an Internet Explorer session.
Important bulletin No. 5 focuses on a vulnerability in the Microsoft Windows Client/Server Run-time Subsystem in Windows XP and Windows Server 2003.
The sixth important bulletin is a fix for every supported Windows OS, plus a Windows update. The same scenario can be expected with important item No. 7.
Important items No. 8 and No. 9 both address systems running Windows XP and Windows Server 2003. Item No. 8 addresses domain components and Windows Kerberos, while item No. 9 covers the Local Security Authority Subsystem Service in Windows XP and Windows Server 2003.
As usual, many security pros are talking about what's not in the patch. Such questions seem to come up each month. For instance, despite the fact that there are 12 fixes in the February security update, Microsoft still came up short on patching the MHTML issue in Windows/Internet Explorer.
While there's no patch for the MHTML flaw, Microsoft did release a workaround in its security advisory 2501696.
Some, security pundits, such as Anup Ghosh, chief scientist and founder of security shop Invincea, are going out on a limb and questioning the patch release model more generally. Ghosh labeled the monthly update routine as a "security insanity cycle."
"The security industry today has largely accepted that the standard in network defense is a wash-rinse-repeat cycle in a never-ending game of whack-a-mole where all industry interests are aligned in perpetuating the cycle and servicing the problem, rather than breaking it," Ghosh said in a blog post.
Meanwhile for IT administrators expecting to wrestle with Microsoft's February patch, it's important to know that all security items may require a restart. IT pros can tap this Knowledge Base article for info on nonsecurity updates distributed through Windows Server Update Services, Windows Update and Microsoft Update.
Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.