Among the addressed flaws is one associated with a CSS function in Internet Explorer that could lead to the execution of arbitrary code by visiting an attacker's web page. Notably absent is a fix for the cross-site scripting vulnerability in MHTML that affects all supported versions of Windows, though Microsoft has provided a workaround (scroll down and expand Mitigating Factors and Suggested Actions for more info):
- Enable the MHTML protocol lockdown.
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
Virtually all of Microsoft's supported operating systems will receive a patch, from Windows XP SP3 and Server 2003 SP2 through Windows 7 and Server 2008 R2. Internet Explorer 6, 7 and 8 are listed more than once, while affected Office software is limited to Visio 2002, 2003 and 2007. As usual, Microsoft will host a webcast to address customer questions on February 9 at 11AM Pacific. Oh, and nearly all of the bulletins call for a reboot, so heads up on that.