Microsoft Black Tuesday Preview, February 2010

February 4, 2010

In keeping with its customary schedule, Microsoft today released a Security Bulletin Advanced Notification for the security patches it intends to release for Windows and its components next Tuesday, February 9.  The plan includes 13 separate patches, 11 for Windows, and 2 for Microsoft Office.  All supported versions of Windows are affected, and all have at least two vulnerabilities rated Critical, Microsoft’s highest severity rating.  The table below gives the breakdown:

Windows Version Critical Important Moderate/Low
Windows 2000 4 4 1
Windows XP 4 3 1
Windows Vista 2 4
Windows Server 2003 3 4 2
Windows Server 2008 2 5 1
Windows 7 2 3
Windows Server 2008R2 2 2 1

These patches do not include a fix for the Internet Explorer problem I mentioned in a post earlier today.

Both of the patches for Microsoft Office are rated Important. Mac users should note that Microsoft Office 2004 for the Mac is also affected.

As usual, the Advance Notification will be replaced by the final Security Bulletin when the patches are released next Tuesday; details such as severity ratings are subject to change until then.  I will post a summary here once the final release is available.

Microsoft Investigating New IE Flaw

February 4, 2010

Microsoft has released a Security Advisory (980088) concerning a new vulnerability in Internet Explorer.  The flaw would allow an attacker to access files on the PC’s hard disk, with the same access privileges as the logged-in user.  It appears that the flaw is present in all versions of Internet Explorer; however, Microsoft says that default configurations of Internet Explorer on Windows Vista, Windows 7, and Windows Server 2008 are not vulnerable because, by default, the browser is running with Protected Mode enabled.  (Although running in Protected Mode clearly lessens the threat, I am not entirely convinced that it provides complete protection, owing to the opacity of parts of the security model.)    Users should also note that this vulnerability can be triggered by clicking a link in an E-mail being read with Microsoft Outlook, Outlook Express, or Windows Mail.

The Security Advisory contains some additional suggestions for mitigation; at this point, there is no fix available.

%d bloggers like this: