FRAMINGHAM, 3 FEBRUARY 2011 - Microsoft (MSFT) today said it will issue 12 security updates next week to patch 22 vulnerabilities in Internet Explorer (IE), Windows, its Internet server and Visio, the company's data diagramming tool.
The company also announced it will provide patches next Tuesday for three bugs it has already acknowledged, including one that has been exploited by criminals for several weeks.
"The big news is that there are three zero-days that are being patched," said Andrew Storms, director of security operations at nCircle Security, talking about the trio of confirmed flaws.
Of the three unpatched-but-admitted vulnerabilities, one is in IE, a second is in Windows' rendering of thumbnail images and the third is in IIS (Internet Information Server), Microsoft's popular Web server software.
Microsoft acknowledged the IE bug on Dec. 22, several weeks after French security firm Vupen issued a bare-bones advisory that said all versions of IE, including 2009's IE8, were vulnerable. Shortly after that, Microsoft warned users that attackers were exploiting the bug.
The Windows flaw is in the graphics engine's rendering of thumbnail images inside folders. The bug was disclosed in mid-December 2010 at a South Korean security conference, and Microsoft published an advisory Jan. 4. At the time, the company said it would not release an emergency, or "out-of-band" patch for the problem.
Also in early January, Microsoft took the unusual step of listing the known bugs that it had yet to patch, detailing five unfixed flaws. Next week's updates will address three of those five.
"They're patching the red, orange and yellow," said Storms, referring to the color codes assigned by Jonathan Ness , an engineer with the Microsoft Security Response Center (MSRC).
"That's good news, great news," Storms continued.
Some vulnerabilities Microsoft has conceded will not be patched next week, however, including a flaw in the MHTML (MIME HTML) protocol handler that the company confirmed only last Friday . Security experts last week were unanimous in betting that the MHTML vulnerability would not be fixed with this month's round of updates.
Of the dozen updates expected next week, three will be labeled "critical," Microsoft's highest threat ranking, while the remaining nine will be marked "important." Microsoft typically assigns a critical rating to vulnerabilities that can be exploited with little or no action on the part of a user.
This year's February patch batch is slightly smaller than 2010's, when Microsoft shipped 13 security updates that quashed 25 bugs
Sign up for CIO Asia eNewsletters.