As part of its regular monthly release cycle, Microsoft on Tuesday issued 12 security updates that address 22 vulnerabilities across various products, including Windows, Internet Explorer (IE), and Office. But two of the fixes are getting particular attention, including one that addresses a recently revealed IE flaw.
The IE-related update actually addresses four separate flaws and is rated critical. But the big fix is for a previously reported CSS bug that's found in all supported IE versions and could lead to remote code execution. Some had expected Microsoft to issue a fix for that particular flaw before Patch Tuesday (or "out of band," in the software giant's parlance). But the company said this week that targeted attacks had been extremely limited, and it offered up telemetry to prove its point.
The other notable update is optional and was previously released in 2009; Microsoft hopes by including it in Windows Update that more users will find and install it. This component updates Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008 to behave like Windows 7 with regards to the OS's AutoRun functionality. That is, executable programs on non-optical media will no longer present an AutoPlay option. This method is commonly used to spread malware, Microsoft says.
"Windows XP users were nearly 10 times as likely to get infected by ... worms in comparison to Windows 7," Microsoft's Holly Stewart wrote in a blog post comparing malware attacks on Windows 7 and XP. "Although causative proof is difficult to quantify, it is quite possible that these figures reflect, at least in part, the improvements made to the security of AutoRun in Windows 7."
To find the update in XP, you must run Microsoft Update and choose Custom rather than Express, and then select Optional Updates and locate the vaguely named Update for Windows XP. If you expand the description for this item, it will read, "Install this update to restrict AutoRun entries in the AutoPlay dialog to only CD and DVD drives. After you install this item, you may have to restart your computer."
You can find out more about Microsoft's February 2011 security bulletins on the Microsoft website.