Microsoft today issued three "critical" security bulletins as part of its monthly Patch Tuesday program. Together with nine other alerts, which the company rated as "important," the bulletins address 22 vulnerabilities spanning Microsoft products from Windows and Internet Explorer to Office and Internet Information Services.
On the top of the list is MS11-003, which is a cumulative update for Internet Explorer that resolves four vulnerabilities. Included is a fix for the nasty CSS bug outlined in Security Advisory 2488013, a bug that could give attackers control of people's computers.
In a podcast about the patches, Jerry Bryant, the group manager of response communications for Microsoft's Trustworthy Computing Group, downplayed the scope of the CSS issue, saying that the company had seen only limited, targeted attacks focused on this vulnerability. To drive that point home, the company has released telemetry of how that vulnerability stacks up against an already-patched vulnerability in the Windows Shell, to explain why a fix was not made available outside the company's normal release cycle.
"While our first priority is to protect customers from issues like these, we also look to minimize disruption that issues like out-of-band releases can bring," Bryant said.
The second critical item included in the list of patches is the thumbnail image attack vulnerability, which is being addressed in MS11-006. This fixes the security hole in Microsoft's Windows Graphics Rendering Engine that could let attackers gain control of users' computers by having them load a specially formatted image. The problem affects Windows XP, Server 2003, Windows Vista, and Windows Server 2008, but not Windows 7 or Windows Server 2008 R2, the company said.
"We have not seen any attacks against this vulnerability, but proof of concept code is available to attackers, so we recommend customers put this at the top of their priority list," Bryant said.
The third critical item that's being patched is the OpenType Compact Font exploit as part of MS11-007. That particular vulnerability requires end users to load what Microsoft classifies as a "maliciously crafted" font. Bryant explained that the issue had privately been disclosed to the company, and that it was rated a 2 in the Exploitability Index, since Microsoft does not believe a reliable exploit code will show up within the next 30 days.
One tier Lower on the company's deployment priority index (which is how Microsoft dictates to customers the order in which to deploy patches to machines) is the fix to the zero-day vulnerability with the FTP services in IIS 7.0 and 7.5. It too has a rating of 2 in the Exploitability Index, and it makes up part of MS11-004.
Along with those critical and important updates, Microsoft is changing its Autorun functionality when users plug in USB thumb drives. The company is disabling Autorun from USB thumb drives in versions of Windows that are older than Windows 7, which already has such a security feature. That's going out to users as an AutoUpdate in Windows Update.
As mentioned in previous coverage about this month's batch of updates, Microsoft has not offered up more details on long-term fixes for the MHTML vulnerability that cropped up last month and affects Internet Explorer. But according to Jim Walter, the manager of McAfee Threat Intelligence Service, the MHTML problem is smaller than most.
"The scope and impact of the MHTML vulnerability is relatively limited compared to other recent zero-day code execution vulnerabilities," Walter said in a statement. "Based on the information that is currently available, we are aware that successful exploitation could lead to the running of arbitrary scripts, as well as the disclosure of sensitive information."
More details about the list of fixes, and ways to deploy them, can be found in Microsoft's Security Response Center blog.