If I was going to try to summarize the scope of patches for February the term that comes to mind is ‘massive’. February not only included nine security patches for 21 vulnerabilities in almost all current Microsoft products including Windows Client Operating Systems, Windows Server Operating Systems, Internet Explorer, Windows Media Player, Visio (Viewer), SharePoint, and .NET/Silverlight, but several third party vendors also released updates on February 14/15. These products include: Adobe Flash (which included addressing a vulnerability that was actively being exploited), Adobe Shockwave, Oracle Java and also Google Chrome.
In light of the scope of the patches, the February ISO recommendation would be as follows:
- Patch all workstations as soon as possible with both Microsoft (especially patch MS12-010 and also MS12-013) and third party updates;
- Patch all server installations as soon as time permits.
To the knowledge of the AgriLife ISO, with the exception of the MS12-016 patch for Silverlight 4, no problems have been experienced with the installation of these patches. Early in the patch release on February 14, customers reported that some Windows 7, Vista and XP machines (both 32 and 64 bit) experienced an error when the KB2668562 patch installation was attempted. That condition has since been identified as a problem with metadata (logic) error. The patch was re-released later in the day on February 14. See the following URL for details – http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/kb2668562-silverlight-update-will-not-install-feb/46bcf0b1-c9b8-41f5-b802-b6a8e822d930
Details on specific products patched by bulletin
- http://technet.microsoft.com/en-us/security/bulletin/ms12-008 – Windows workstation and Server OSs
- http://technet.microsoft.com/en-us/security/bulletin/ms12-009 – Windows workstation and Server OSs
- http://technet.microsoft.com/en-us/security/bulletin/ms12-010 – Internet Explorer version 6-9
- http://technet.microsoft.com/en-us/security/bulletin/ms12-011 – SharePoint
- http://technet.microsoft.com/en-us/security/bulletin/ms12-012 – Windows Server 2008 OSs only
- http://technet.microsoft.com/en-us/security/bulletin/ms12-013 – Windows workstation and Server OSs excluding Windows XP and Server 2003
- http://technet.microsoft.com/en-us/security/bulletin/ms12-014 – Windows XP workstation only
- http://technet.microsoft.com/en-us/security/bulletin/ms12-015 – Microsoft Visio viewer 2010 base and SP1 (32 and 64 bit)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-016 – .NET framework 2.0, 3.51, 4.0 and Silverlight
Patches by bulletin – details
Workstation/server OS – Bulletin #8 – two vulnerabilities in Windows Kernel Mode Drivers – http://technet.microsoft.com/en-us/security/bulletin/ms12-008
NOTE – Remote code execution vulnerability. Two vulnerabilities addressed; one had not previously publicly disclosed, the second HAD been disclosed publicly. For the vulnerability that had NOT been publicly disclosed, it is expected that reliable exploit code will materialize in the next 30 days. For the vulnerability that HAD been publicly disclosed, reliable exploit code is not expected to materialize within the next 30 days.
Applicable workstation operating systems and severity:
- Windows XP-SP3 (32 bit) – CRITICAL
- Windows XP-SP2 (64 bit) – CRITICAL
- Windows Vista-SP2 (32 and 64 bit) – CRITICAL
- Windows 7 base and SP1 (32 and 64 bit) – CRITICAL
Server OS – Bulletin #8
Applicable server operating systems and severity:
- Windows Server 2003-SP2 (32 and 64 bit) – CRITICAL
- Windows Server 2008-SP2 (32, 64 bit and Itanium) – CRITICAL/IMPORTANT*
- Windows Server 2008R2-SP2 (64 bit) and Itanium – CRITICAL/IMPORTANT*
*NOTE – Server core operating system affected – See the following URLS for details – http://technet.microsoft.com/en-us/library/ee441255%28WS.10%29.aspx or http://technet.microsoft.com/en-us/library/ff698994%28WS.10%29.aspx
For the following Server operating systems, severity is classified as IMPORTANT if Server Core installation option is used: Server 2008 SP2 (32 and 64 bit), Server 2008R2 (64 bit)
Workstation/server OS – Bulletin #9 – two vulnerabilities in Windows Ancillary Function Driver- http://technet.microsoft.com/en-us/security/bulletin/ms12-009
NOTE – Elevation of privilege (to exploit this vulnerability, an attacker would require valid logon credentials and be required to login locally). Privately disclosed vulnerability. Reliable exploit code expected within the next 30 days now the vulnerability has been made public. First vulnerability (CVE-2012-0149) only affects Windows Server 2003. Second vulnerability affects all 64 bit versions of current Windows workstation and Server operating systems.
Applicable workstation operating systems and severity:
- Windows XP-SP2 (64 bit) – IMPORTANT
- Windows Vista-SP2 (64 bit) – IMPORTANT
- Windows 7 base and SP1 (64 bit) – IMPORTANT
Server OS – Bulletin #9
Applicable workstation operating systems and severity:
- Windows Server 2003 SP2 (32, 64 bit and Itanium) – IMPORTANT
- Windows Server 2008 SP2 (64 bit and Itanium) – IMPORTANT
- Windows Server 2008R2 base and SP1 – (64 bit and Itanium) – IMPORTANT
Workstation/server OS – Bulletin #10 – Four vulnerabilities in Internet Explorer versions 6-9 http://technet.microsoft.com/en-us/security/bulletin/ms12-010
NOTE – Remote Code Execution vulnerabilities. None of the vulnerabilities have been disclosed publicly prior to February 14. Likely to see reliable exploit code within the next 30 days now the vulnerabilities are publicly known.
Applicable workstation OS and Web Browsers and severity:
- Windows XP-SP3 (32 bit) – CRITICAL for Internet Explorer versions 7 and 8
- Windows XP-SP2 (64 bit) – CRITICAL for Internet Explorer versions 7 and 8
- Windows Vista-SP2 (32 and 64 bit) – CRITICAL for Internet Explorer versions 7, 8 and 9
- Windows 7 – base and SP1 (32 and 64 bit) – CRITICAL for Internet Explorer 8 and 9
Server OS – Bulletin #10
Applicable workstation operating systems and severity:
- Windows Server 2003-SP2 (32, 64 bit and Itanium) – MODERATE for Internet Explorer version 7 and 8
- Windows Server 2008-SP2 (32, 64 bit and Itanium) – MODERATE for Internet Explorer version 7-9
- Windows Server 2008R2 base and SP1 (64 bit and Itanium) – MODERATE for Internet Explorer version 8 and 9
Application software – Bulletin #11 – three Cross Site Scripting vulnerabilities in SharePoint and SharePoint foundation – http://technet.microsoft.com/en-us/security/bulletin/ms12-011
NOTE – Elevation of privilege (to exploit this vulnerability, an attacker would require valid logon credentials and be required to login locally). Privately disclosed vulnerability. Reliable exploit code likely to materialize in the next 30 days. Exposure mitigated for users accessing SharePoint servers with Internet Explorer versions 8 and 9 due to cross site scripting blocking implemented in Internet Explorer (versions 8 and 9).
Applicable application software and Severity –
- Microsoft Office SharePoint 2010 base and SP1 – IMPORTANT
- Microsoft Office SharePoint Foundation 2010 base and SP1 – IMPORTANT
Server OS – Bulletin #12 – one vulnerability in Windows Color Control panel – http://technet.microsoft.com/en-us/security/bulletin/ms12-012
NOTE – Remote code execution. Publicly disclosed vulnerability. Reliable exploit code likely to materialize in the next 30 days. Not applicable for Windows Client Operating Systems
Applicable Server OSs and severity
- Windows Server 2008-SP2 (32 and 64 bit) – IMPORTANT*
- Windows Server 2008-SP2 (Itanium) – IMPORTANT
- Windows Server 2008R2 – 64 bit – IMPORTANT*
- Windows Server 2008R2 – Itanium – IMPORTANT
*NOTE Server core installation not affected
Workstation/server OS – Bulletin #13 – one vulnerability in Windows C Run-Time Library – http://technet.microsoft.com/en-us/security/bulletin/ms12-013
NOTE – Remote code execution. Privately reported vulnerability. Reliable exploit code likely to materialize in the next 30 days.
Applicable workstation OSs and severity
- Windows XP-SP2 – NOT applicable
- Windows Vista-SP2 (32 and 64 bit) – CRITICAL
- Windows 7-base and SP1 (32 and 64 bit) – CRITICAL
Applicable Server OSs and severity
- Windows Server 2008-SP2 (32, 64 bit and Itanium) – CRITICAL*
- Windows Server 2008R2 base and SP1 (64 bit an Itanium) – CRITICAL*
*Note server core operating system installation affected for 32 and 64 bit versions. Itanium installations not affected.
Workstation/server OS – Bulletin #14 – one vulnerability in Indeo Codec – http://technet.microsoft.com/en-us/security/bulletin/ms12-014
NOTE – Remote code execution. Publicly reported. Reliable exploit code likely to materialize in the next 30 days.
Applicable workstation OSs and severity
- Windows XP-SP3 – (32 bit) – IMPORTANT
- Windows Vista-SP2 (32 and 64 bit) – NOT applicable
- Windows 7-base and SP1 (32 and 64 bit) – NOT applicable
Applicable Server OSs and severity
- Windows Server 2003-SP2 (32, 64 bit and Itanium) – NOT applicable
- Windows Server 2008-SP2 (32, 64 bit and Itanium) – NOT applicable
- Windows Server 2008R2 base and SP1 (64 bit an Itanium) – NOT applicable
Application software – Bulletin #15 – five vulnerabilities in Visio 2010 viewer – http://technet.microsoft.com/en-us/security/bulletin/ms12-015
NOTE – Remote code execution. Privately reported. Reliable exploit code likely to materialize in the next 30 days.
Applicable applications and severity
- Microsoft Visio viewer 2010 base and SP1 – (32 and 64 bit) – IMPORTANT
Workstation and Server OSs and Development Tools and Software – Bulletin #16 – one vulnerability in .NET framework (versions 2.0, 3.51 and 4) and Silverlight – http://technet.microsoft.com/en-us/security/bulletin/ms12-016
NOTE – Remote code execution. Publicly reported. Reliable exploit code likely to materialize in the next 30 days.
Applicable workstation OSs and severity
- Windows XP-SP3 (32 and 64 bit) – CRITICAL
- Windows Vista-SP2 (32 and 64 bit) – CRITICAL
- Windows 7 base and SP1 – (32 and 64 bit) – CRITICAL
Applicable server OSs and severity
- Windows Server 2003SP2 – 32, 64 bit and Itanium – CRITICAL
- Windows Server 2008SP2 – 32, 64 bit and Itanium – CRITICAL
- Windows Server 2008R2 base and SP1 – 64 bit and Itanium – CRITICAL