Apparently, Microsoft isn’t just sharing the love with IT administrators. The company is also sharing the love with 900 million Internet Explorer (IE) users by issuing a patch for the Internet Explorer (IE) zero-day flaw with the cascading style sheet (CSS) function that enables remote code execution, noted Paul Henry, a security and forensic analyst at Lumension.
“Last month, we were waiting for the IE patch that never came and this month we get to celebrate the national day of love by all of us simultaneously rebooting our PCs”, he said.
Henry expressed concerns over the size of the reboot. “As we know from experience, reboots of this magnitude have been known to upset services and applications so it’s possible we will see similar problems to what we encountered in 2007 when a large Microsoft Patch that required a reboot crippled applications, Skype in particular.”
In addition to the IE zero-day fix, Microsoft is fixing another zero-day flaw that Henry thought should have been fixed in January: a flaw in the Windows graphics rendering engine that also enables remote code execution.
Wolfgang Kandek, chief technology officer at Qualys, said that these zero-day flaws “have seen limited exploits in the wild, so applying the update is highly recommended.” He noted that the recently discovered MHTML flaw in IE will not be addressed on Tuesday and recommended that users employ the workaround suggested by Microsoft in its advisory.
Andrew Storm, director of security for nCircle, lamented that “Microsoft started this year in a bad spot – they were picking up the pieces from a number of public zero-day bugs.” He said he was encouraged to see that Microsoft was addressing the IE and Windows zero-day flaws, as well as a zero-day denial-of-service bug in the FTP service of Microsoft’s internet information server (IIS).
The remaining Patch Tuesday updates address lesser flaws in Windows, Office, and Microsoft's development platform Visio.