As expected, Microsoft posted their first big patch day of 2011 today (the last one was small). Unfortunately, the dozen security updates they released do not fix the unpatched MHTML flaw, which I mentioned in last week’s early notification. Even so, the released updates fix many serious flaws. You should start upgrading as soon as you can.
According to their Bulletin Summary for February, Microsoft released 12 security updates, which fix 22 vulnerabilities in Windows, Internet Explorer (IE), Visio, and Internet Information Services (IIS). The highlights include:
- A Critical, cumulative IE update
- An Important IIS patch, which fixes a FTP-related code execution flaw
- Nine updates for Windows and components that ship with it; two Critical and the rest Important
- And an Important Visio update
As usual, you should install the Critical updates first, as they tend to fix vulnerabilities that remote attackers can leverage to execute code on affected machines. That said, Important updates often fix serious vulnerabilities too; though ones that typically require more user-interaction or affect services not installed by default. I recommend you take the Important updates just as seriously as you do the Critical ones.
As usual, Microsoft has arranged their Bulletin Summary in order of severity, so you could certainly install them in that order. Personally, though, I would install the IE update first, as the web is currently the biggest vector of attack. Next, I would consider installing the FTP-related IIS update. Microsoft only rates this update as Important, but I suspect they do so only because IIS doesn’t start the FTP service by default. However, if you do use the IIS FTP service, this update fixes a pretty significant flaw. After that, make your way through the Windows updates, starting with the Critical ones. Finally, finish off with the Visio patches, if you use that popular diagramming tool. As always, I recommend you test Microsoft’s patches on non-production machines before deploying them throughout your network – mostly when updating servers, such as IIS.
We will post more detailed information about these flaws, and how to fix them, in alerts posted to the WatchGuard Security Center, shortly. However, due to internal scheduling and travel, we will post these alerts later in the day than normal. Until then, I recommend you expand the “Affected Software and Download Location” section of the Summary to find solution information and get a head start with your patching. — Corey Nachreiner, CISSP