Microsoft may have started 2011 slowly in regards to Patch Tuesday fixes, but this month will be the exact opposite.
Next week, Microsoft plans to release 12 security bulletins, including three that are rated “Critical.” All totaled, the bulletins will address 22 vulnerabilities spanning Windows, Internet Explorer, Microsoft Office, Visual Studio and IIS.
“As part of this month’s update, we’ll be addressing issues related to two recent Security Advisories, 2490606 (a public vulnerability affecting the Windows Graphics Rendering Engine) and 2488013 (a public vulnerability affecting Internet Explorer),” blogged Angela Gunn, security response communications manager for Microsoft Trustworthy Computing. “Additionally, we will be addressing an issue affecting FTP service in IIS 7.0 and 7.5.”
Microsoft warned users about the Windows Graphics Rendering Engine flaw in January after exploit code for the bug was made public. The vulnerability is caused by the engine improperly parsing a specially crafted thumbnail image, resulting in a stack overflow, the company explained in its advisory. In order to exploit the vulnerability, an attacker must convince a user to visit a malicious Web page or open a Word or PowerPoint file containing a malicious thumbnail image.
The Internet Explorer vulnerability mentioned in advisory 2488013 exists due to the creation of uninitialized memory during a CSS (cascading style sheet) function within Internet Explorer. The company issued the advisory for that flaw in December, and has seen limited, targeted attacks focused on the vulnerability.
In addition to the three critical bulletins are nine others rated as “Important.” The bulletins are slated to be released Feb. 8.