Microsoft issued 12 security bulletins today to cover nearly two dozen vulnerabilities, including critical ones in Internet Explorer and Windows.
Microsoft plugged 22
security holes today in the second Patch Tuesday of the year.
The fixes are included in 12
security bulletins spanning Windows, Internet Explorer, Microsoft Office and
IIS. Three of the bulletins are rated "critical" while the other nine are
Within the critical
bulletins are fixes for a bug in the Windows Graphics Rendering Engine
Microsoft warned users about in January, as well as a vulnerability in IE
(Internet Explorer) resulting from the creation of uninitialized memory
during a CSS
(cascading style sheet) function within IE. The company issued
the advisory for the IE flaw in December, and has seen limited, targeted
attacks focused on the vulnerability.
"Among the six previously
public vulnerabilities fixed, the Internet Explorer Cascading Style Sheet issue
is the only one Symantec is seeing actively being used in attacks," said Joshua
Talbot, security intelligence manager for Symantec Security Response. "The
attacks aren't extremely widespread, but we did recently see a spike in
activity. IT managers should patch this right away, especially those that have
not implemented the temporary workaround released last month."
"At least one of the other
critical Internet Explorer vulnerabilities patched is also likely to be
exploited," Talbot added. "The uninitialized memory corruption vulnerability
appears to be even easier to take advantage of than the Cascading Style Sheet
flaw. So, if cyber-criminals are able to reverse-engineer the patch-and they
will certainly try to-we'll probably see exploits for that one, too."
Additionally, the third
addresses a bug involving the OpenType CFF (Compact Font
Format) driver that affects all supported versions of Windows. According to
Microsoft, the vulnerability could allow remote code execution if a user is
tricked into viewing content rendered in a specially crafted CFF font.
Microsoft left open the MHTML
the company warned users about last month that affects
all versions of Windows.
"The scope and impact of the
MHTML vulnerability is relatively limited, compared to other recent zero-day
code execution vulnerabilities," said Jim Walter, manager of the McAfee Threat
Intelligence Service for McAfee Labs. "Based on the information that is
currently available, we are aware that successful exploitation could lead to
the running of arbitrary scripts, as well as the disclosure of sensitive