Microsoft patches 22 bugs, stops Autorun hole that helps Conficker

Patch Tuesday is a biggie, as expected, with a surprise addition for XP, Vista that stops USB infections via Autorun.

As expected, Microsoft's February Patch Tuesday is big: 22 bugs fixed via 12 updates, including patches for three zero-day exploits. Microsoft also made a change to the Autorun services in XP and Vista that it hopes will put a cramp in the spread of Conficker.

Note that the Internet Storm Center recommends a slightly different priority in patching holes than is recommended by Microsoft. ISC advises that three holes get patched pronto, as exploit code is already available. One of these is for an update rated "important" by Microsoft. ISC's list of pronto patches are for:

MS11-003, a zero-day IE bug disclosed to the public in December that the ISC says is being actively exploited now. It affects all supported versions of IE (6, 7, 8). This was a hole that let attackers hijack a PC by manipulating IE's HTML engine when the browser processed CSS that included "@import" rules, and it sidestepped Windows 7 security.

MS11-004, a zero-day for IIS users that fixes a hole in the Web server's FTP services. Rated "important" as FTP is not turned on by default. However, proof-of-concept code is out there.

MS11-006, the much publicized Graphics Rendering Engine hole that affects Windows XP, Vista, Server 2003. It does not affect Windows 7 nor WS 2008.

Meanwhile, Microsoft has a somewhat different list of which patches should get priority. Instead of the FTP hole, it recommends users immediately deploy patch MS11-007, a hole rated critical because it could allow remote code execution or elevation of privileges. The ISC says it is not aware of exploit code in the wild. It fixes a hole in the Open Type Compact Font Format Driver. The attack requires victims to open a malicious file.

_{Microsoft recommended patching order. Click to enlarge.}

It's an equal opportunity Patch Tuesday ... there are patches for all versions of Windows, including Windows 7 and Server 2008 R2, but only a single patch for Microsoft Office wares, for Visio.

Older version of Windows, XP and Vista will also get a change to the Windows Autorun service that prevents thumb drives from automatically launching applications and files -- a favorite tactic to spread Conficker.

Microsoft didn't claim that Autorun was a vulnerability, so technically the change is not a patch, but an advisory. Users who get their patches via Windows Update AutoUpdate will, however, get this change as well. According to the MSRC blog, the change affects how autorun handles security when dealing with storage media defined as "non-shiny." Shiny media is CD-ROMs and DVDs. Windows 7 already disables Autorun for so-called non-shiny devices, otherwise known as USB thumb drives. Those who run this update will get the same protection for their older Windows machines. "We believe this is a huge step towards combating one of the most prevalent infection vectors used by malware such as Conficker," said Angela Gunn on the MSRC blog.

Most of these patches require a restart. Some security experts have warned that a giant restart of millions of Windows machines could take place as AutoUpdate runs. This could cause giant numbers of Windows machines to log back into background services on an enterprise network or across the Web, knocking those services offline.

Interestingly, too, the MSRC blog also offers a lengthy defense as to why the security team didn't hurry up and release an out-of-band patch for the IE CSS bug even though active exploits were being reported. Microsoft said its research showed that attempts to exploit the hole were small and so it decided it wasn't worth  stressing out its customers with an out-of-band patch. It's conclusion on the number of attempted attacks came from monitoring its own "Malware Protection Center."

In any case, both ISC and Microsoft say that now that the patch is here ... HURRY UP and deploy it.

For your convenience, here is the full list of updates provided by Microsoft.

Microsoft February Security Bulletins:

• MS11-003 addresses four vulnerabilities in Internet Explorer; it has a maximum severity rating of Critical and an Exploitability Index rating of 1.
• MS11-004 addresses one vulnerability in Internet Information Services FTP Service; it has a maximum severity rating of Important and an Exploitability Index rating of 2.
• MS11-005 addresses one vulnerability in Windows; it has a maximum severity rating of Important and an Exploitability Index rating of 3.
• MS11-006 addresses one vulnerability in Windows; it has a maximum severity rating of Critical and an Exploitability Index rating of 1.
• MS11-007 addresses one vulnerability in Windows; it has a maximum severity rating of Critical and an Exploitability Index rating of 2.
• MS11-008 addresses two vulnerabilities in Microsoft Office; it has a maximum severity rating of Important and an Exploitability Index rating of 1.
• MS11-009 addresses one vulnerability in Windows; it has a maximum severity rating of Important and an Exploitability Index rating of 3.
• MS11-010 addresses one vulnerability in Windows; it has a maximum severity rating of Important and an Exploitability Index rating of 1.
• MS11-011 addresses two vulnerabilities in Windows; it has a maximum severity rating of Important and an Exploitability Index rating of 1.
• MS11-012 addresses five vulnerabilities in Windows; it has a maximum severity rating of Important and an Exploitability Index rating of 1.
• MS11-013 addresses two vulnerabilities in Windows; it has a maximum severity rating of Important and an Exploitability Index rating of 1.
• MS11-014 addresses one vulnerability in Windows; it has a maximum severity rating of Important and an Exploitability Index rating of 1.
• Microsoft's update of Security Advisory 967940, which improves security of Autorun in XP and Vista. 

• Microsoft
• Security
• Conficker
• Internet Explorer security
• Internet Storm Center
• Microsoft security
• Patch Tuesday
• Windows 7 patches