Microsoft To Patch 22 Vulnerabilities With Update

Microsoft is preparing a hefty security update for next week, unlike last month’s relatively light Patch Tuesday.

Microsoft’s February update will include 12 security bulletins, including three that are rated “Critical.” All totalled, the bulletins will address 22 vulnerabilities spanning Windows, Internet Explorer, Microsoft Office, Visual Studio and IIS.

IE Flaw

“As part of this month’s update, we’ll be addressing issues related to two recent Security Advisories, 2490606 (a public vulnerability affecting the Windows Graphics Rendering Engine) and 2488013 (a public vulnerability affecting Internet Explorer),” blogged Angela Gunn, security response communications manager for Microsoft Trustworthy Computing. “Additionally, we will be addressing an issue affecting FTP service in IIS 7.0 and 7.5.”

Microsoft warned users about the Windows Graphics Rendering Engine flaw in January after exploit code for the bug was made public.

The vulnerability is caused by the engine improperly parsing a specially crafted thumbnail image, resulting in a stack overflow, the company explained in its advisory. In order to exploit the vulnerability, an attacker must convince a user to visit a malicious web page or open a Word or PowerPoint file containing a malicious thumbnail image.

Limited Attacks

The Internet Explorer vulnerability mentioned in advisory 2488013 exists due to the creation of uninitialised memory during a CSS (cascading style sheet) function within Internet Explorer. The company issued the advisory for that flaw in December, and has seen limited, targeted attacks focused on the vulnerability.

In addition to the three critical bulletins are nine others rated as “Important.”

The bulletins are slated to be released Tuesday 8 February.