After a light start to the year in terms of patching, Microsoft is throwing out its heaviest patch load in four years for IT departments to tackle for the month of February with 13 patches in all – five of which have a maximum security rating of critical.

Three of the critical patches standout from the pack (all require a reboot):

MS10-013 – Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
This bulletin addresses a vulnerability in Microsoft DirectShow where a specially crafted AVI file leads to remote execution of hacker code.  This vulnerability is rated as a “critical” across all currently supported Microsoft Windows platforms (including Windows 7 and Windows Server 2008 R2, Microsoft’s most recently released platforms.)  The resulting required reboot of all Windows computers in an organization could mean significant disruption in workplace productivity.

MS10-006 – Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
This bulletin contains a very concerning vulnerability (CVE 2010 0017) in the Server Message Block (SMB) Protocol.  A specially crafted SMB packet can enable a hacker to take complete control of the machine and execute arbitrary code, with no need for any level of authentication on the computer.  Even more concerning is that Microsoft rates this vulnerability as a “1” on its Exploitability Index, which is interpreted as “Consistent exploit code likely.”  However, Microsoft states that an alternative denial-of-service attack may be more probable through this vulnerability.

MS10-007 – Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
This patch covers a vulnerability in the ShellExecute API function that a remote hacker could exploit to execute code on the computer.  Microsoft also rates the associated CVE (CVE-2010-0027) as a “1” on its Exploitability Index.  A high exploitability index associated with a vulnerability in a shell-oriented API is sure to earn this vulnerability close intense scrutiny by the hacker community.

Microsoft also recommends prioritizing MS10-008 and MS10-015.

While IT teams are looking at this big list of Microsoft patches, they should also review other patches that have recently been released by leading technology companies:

• Unscheduled Oracle Security Alert for CVE-2010-0073 was released on February 4, 2010. Oracle strongly recommends applying the patches as soon as possible.
• Novell released a patch for NetStorage for an issue where a remote user may execute arbitrary code. The vulnerability does not require authentication and impacts both systems running on Novell and Linux.
• LANDesk released a patch for a vulnerability in one of the LANDesk Management Gateway pages that allows an attacker to perform command injection under certain circumstances. This vulnerability could lead to arbitrary commands to be executed under the root context.
• Google Chrome security update issued for 11 vulnerabilities.

All in all, this will be a very busy week for IT teams trying to keep their organization’s computers safe! For essential steps on effective patching, click here for a Patch Tuesday Survival Guide.