Microsoft on Tuesday released 12 advisories to cover 17 security flaws in a range of products, including high-priority patches for Internet Explorer, Windows Media Player, Windows Messenger and MSN Messenger.
The February batch of patches includes eight "critical" fixes, and Microsoft officials say IT administrators should prioritize and deploy patches for four potentially dangerous code-execution holes.
Stephen Toulouse, program manager at the Microsoft Security Response Center, told eWEEK.com that the company has identified the four "high-priority" patches because of the availability of public exploits that target those holes.
The four are MS05-009, which affects PNG processing in the media player and instant messaging software; MS05-010 for a flaw in the Windows license logging service; MS05-011 for a bug in the Windows Server Message Block; and MS05-014, which is a cumulative fix for the IE browser.
"If youre applying these patches manually, you should prioritize these four," Toulouse said, warning that a successful attack could cause major damage within a network.
He said the Internet Explorer fix, which has been under development since last October, addresses the previously reported high-risk vulnerabilities that could allow system hijack, cross-site/zone scripting and security bypass.
The IE update affects users of Windows 98, Windows ME, Windows 2000 Service Pack 3 and Service Pack 4, Windows XP Service Pack 1 and Service Pack 2, Windows Server 2003.
According to Microsoft, the IE fix corrects a drag-and-drop flaw that puts users at risk of PC hijack; a URL decoding zone spoofing vulnerability; a DHTML Method heap memory corruption bug; and a cross-domain vulnerability in CDF (Channel Definition Format).
Toulouse also urged Windows users to prioritize and apply patches for the PNG processing flaw that affects Windows Media Player 9 Series, Windows Messenger 5.0, and Microsoft Messenger 6.2 and 6.2.
"An attacker could try to exploit the vulnerability by constructing a malicious PNG that could potentially allow remote code execution if a user visited a malicious Web site or clicked a link in a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft warned in the advisory.