Hefty February Microsoft security patch arrives

Microsoft's February security update marks another notable Patch Tuesday, with 13 patches addressing more than 26 vulnerabilities in Windows and Microsoft Office.

Of the 13 fixes on the slate, five are rated "critical" and seven are considered "important," with one lone "moderate" item included in the patch. Nine of the patches have remote code execution (RCE) exploit considerations. The remaining fixes address either elevation-of-privilege or denial-of-service risks.

As one security observer pointed out, this February release could have been the biggest in Microsoft's history. However, Microsoft left Internet Explorer out this month's slate of fixes, even though Microsoft issued an off-cycle patch in January and a new advisory for Internet Explorer in early February.

"Microsoft's February 2010 [security update] was slated to be the biggest release for Microsoft patches in the last two years — 14 bulletins addressing 34 vulnerabilities," explained Wolfgang Kandek, chief technology officer at Qualys. "But the Google/CN Internet Explorer zero-day forced Microsoft to accelerate the testing of the planned IE bulletin and release it early, still in January. That leaves 13 bulletins covering 26 vulnerabilities for the February release, which constitutes one of the bigger patch Tuesdays."

Critical Items
The five critical fixes in the patch affect pretty much every supported version of the Windows operating system family. The first critical item returns to familiar territory—namely, the Server Message Block (SMB) component in Windows.

"Based on the number of SMB bugs fixed in 2009 and the recent disclosure of a bug in SMB affecting Windows 7 and 2008—plus the two bulletins today—it's a safe bet that Microsoft is making a focused effort to eradicate SMB bugs in its products," said Andrew Storms, director of security operations at nCircle. "A lot of people will be disappointed that the public SMB bug disclosed in mid-November was not patched today. The obvious answer to 'why' is that this bug is not the most important. It makes you wonder, though, what else could be looming on the horizon for SMB."

The second critical item affects Windows Shell Handler. This fix resolves a privately reported vulnerability in Windows 2000, Windows XP and Windows Server 2003.

Critical item No. 3 is a cumulative security update for ActiveX killbits, addressing a privately reported vulnerability affecting Microsoft Windows 2000 and Windows XP. Microsoft deems this fix to be important for Windows Vista and Windows 7 and moderate for Windows Server 2003, while it's ranked "low" for Windows Server 2008 and Windows Server 2008 R2.

"Killbit is back again, now affecting not only Microsoft but third parties," said Josh Abraham, a security researcher with Rapid7. "The new affected software includes Google Desktop Gadget, Facebook Photo Updater, Symantec WinFax Pro and Panda ActiveScan Installer."

The fourth critical item addresses an RCE vulnerability associated with TCP/IP in Vista and Windows Server 2008. The fifth and final critical item deals with DirectShow, in which the exploit in question could allow an RCE attack if a user, according to Microsoft, opens a "specially crafted Audio-Video Interleave (AVI) file." This fix affects every known Windows OS.

Important Items
First up in the important slate of security updates is a cumulative fix for vulnerabilities in Microsoft Office. The vulnerabilities, left unpatched, could allow RCE attacks if a user opens a specially crafted Word, Excel or PowerPoint file.

Important item No. 2 addresses six privately reported vulnerabilities in Microsoft Office's PowerPoint presentation app. However, a fix for PowerPoint Viewer 2003 isn't included in the February patch.

"It is important to note that PowerPoint Viewer 2003 is affected by this vulnerability, but Microsoft is not releasing a patch for this version of the viewer," said Jason Miller, data and security team leader at Shavlik Technologies. "Microsoft is stating the product has reached the end of its lifecycle and will not have any future security patches. You should identify all PowerPoint 2003 Viewers on your network and upgrade them to PowerPoint 2007."

Important item No. 3 is said to resolve privately reported vulnerabilities in Microsoft's Hyper-V hypervisor, which comes with Windows Server 2008 and Windows Server 2008 R2.

The fourth important item targets vulnerabilities in Microsoft's Windows Client/Server Run-time Subsystem (CSRSS) in Windows 2000, Windows XP and Windows Server 2003.

Important item No. 5 is another SMB fix. Left unpatched, this vulnerability could allow an RCE attack if "an attacker created a specially crafted SMB packet and sent the packet to an affected system."

The sixth important item will be especially useful for Windows helpdesk specialists. It addresses maliciously configured ticket renewal requests sent specifically through the Windows Kerberos domain from "an authenticated user on a trusted non-Windows Kerberos realm," according to the bulletin.

The seventh and last important item addresses elevation-of-privilege attack risks in the Windows kernel. Microsoft explained in the bulletin that "the vulnerabilities could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application."

Moderate Item
Lastly, the lone moderate item describes what might happen if RCE exploits were triggered by a user opening and viewing a specially crafted JPEG image file using the graphics program Microsoft Paint. This fix only addresses vulnerabilities on the Windows 2000 and Windows XP operating systems.

All of the fixes in this February security update may require a restart to complete.

IT administrators who still have time after applying all of these fixes can check out this Knowledge Base article. It describes nonsecurity updates arriving via Windows Update, Microsoft Update and Windows Server Update Services.