Admins will have a full schedule to implement this month's critical Patch Tuesday security updates.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
There are seven updates for this Patch Tuesday cycle. Four of the bulletins are marked as critical, all of which address remote code execution vulnerabilities.
Internet Explorer is spotlighted this month as it receives a critical update to address 24 vulnerabilities. Attackers can exploit these vulnerabilities if end users visit a malicious website in IE. The update is marked as critical for IE versions 6 through 11 for affected Windows clients.
This is a "rather large" number of vulnerabilities, said Wolfgang Kandek, chief technology officer of Qualys, based in Redwood Shores, Calif.
Microsoft originally planned on releasing just two critical security updates for February, but the company included a last-minute addition of two critical bulletins earlier this week.
IE pops up again in another critical update, which addresses a Direct2D vulnerability in multiple versions of Windows. Attackers could take advantage of the vulnerability if end users open a malicious link in an email or instant message and use IE to visit a malicious site. The update affects Windows 7 and each following version, as well as Windows Server 2008 R2 and each following version.
Exchange Server 2010 also receives a critical security update in this Patch Tuesday cycle. The update addresses a vulnerability in Microsoft Forefront Protection for Exchange 2010, which could be exploited if the program scans an affected email.
There aren't a lot of installed copies of Microsoft Forefront Protection and the vulnerability was discovered by Microsoft's own researchers, said Kandek.
However, a case like this "shines the light again on these libraries that interpret files," said Kandek, noting that such large libraries are bound to have a flaw or two in them. He pointed to cases like Microsoft's uses of Oracle Corp.'s Outside In library as another example.
The VBScript scripting engine also has a critical security update, which fixes a vulnerability that could be exploited if end users click on a malicious link in an instant message or email.
The three important security updates in this Patch Tuesday cycle address elevation of privilege, information disclosure and denial of service vulnerabilities. XML Core Services, .NET Framework and IPv6 are all affected.
Admins will notice an increase of updates compared to last month, especially with the late addition of two critical bulletins. The Patch Tuesday cycle for January had four important security updates and no critical updates.