Microsoft issues 13 patches, warns on SSL flaw

patched computer

Microsoft last night issued 13 patches covering 26 flaws, making February's edition of the monthly security update much busier than last month, which had just one fix.

One of the patches fixes a 17-year-old flaw. While that certainly sounds bad, Microsoft stressed it was "not aware of any active attacks at this time."

Five of this month's patches are rated critical, and could lead to remote code execution in Windows and Office, noted TrendMicro's Ria Rivera.

"Unless patched, an attacker could exploit any of the said vulnerabilities to gain control of the user's system," he noted in a blog post.

"Most notable on the list is MS10-013 [affecting DirectShow], which could give an attacker complete control of an affected system," he added. "Considering the damage that exploiting this vulnerability could cause, it is very important that users patch their systems as soon as possible."

New flaw

Microsoft also said it was investigating reports of a new flaw in Transport Layer Security (TSL) and Secure Sockets Layer (SSL) protocols.

Microsoft said it hadn't yet seen any attacks using the vulnerability, but that it was still important to investigate.

"As an issue affecting an internet standard, we recognize that this issue affects multiple vendors," Microsoft said in a security bulletin, noting the two protocols are used in its own client and server products.

"We are working on a coordinated response with our partners in the Internet Consortium for Advancement of Security on the Internet (ICASI)," the statement said.

Microsoft said it had developed a workaround that disables TLS and SSL renegotiation functionality, but that some applications require that ability to work, so it should be tested before deploying.

Microsoft said it will issue an update, possibly through the monthly patching cycle, if necessary.