Microsoft plugged 22 security holes today in the second Patch Tuesday of the year.
The fixes are included in 12 security bulletins spanning Windows, Internet Explorer, Microsoft Office and IIS. Three of the bulletins are rated “critical” while the other nine are considered “important.”
Within the critical bulletins are fixes for a bug in the Windows Graphics Rendering Engine Microsoft warned users about in January, as well as a vulnerability in IE (Internet Explorer) resulting from the creation of uninitialized memory during a CSS (cascading style sheet) function within IE. The company issued the advisory for the IE flaw in December, and has seen limited, targeted attacks focused on the vulnerability.
“Among the six previously public vulnerabilities fixed, the Internet Explorer Cascading Style Sheet issue is the only one Symantec is seeing actively being used in attacks,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “The attacks aren’t extremely widespread, but we did recently see a spike in activity. IT managers should patch this right away, especially those that have not implemented the temporary workaround released last month.”
“At least one of the other critical Internet Explorer vulnerabilities patched is also likely to be exploited,” Talbot added. “The uninitialized memory corruption vulnerability appears to be even easier to take advantage of than the Cascading Style Sheet flaw. So, if cyber-criminals are able to reverse-engineer the patch-and they will certainly try to-we’ll probably see exploits for that one, too.”
Additionally, the third critical bulletin addresses a bug involving the OpenType CFF (Compact Font Format) driver that affects all supported versions of Windows. According to Microsoft, the vulnerability could allow remote code execution if a user is tricked into viewing content rendered in a specially crafted CFF font.
Microsoft left open the MHTML vulnerability the company warned users about last month that affects all versions of Windows.
“The scope and impact of the MHTML vulnerability is relatively limited, compared to other recent zero-day code execution vulnerabilities,” said Jim Walter, manager of the McAfee Threat Intelligence Service for McAfee Labs. “Based on the information that is currently available, we are aware that successful exploitation could lead to the running of arbitrary scripts, as well as the disclosure of sensitive information.”