Microsoft's February Patch Tuesday will see the release this week of 12 security bulletins, patching a total of 22 vulnerabilities, including three that could be exploited via zero-day attacks.
According to Wolfgang Kandek, CTO of Qualys, "these vulnerabilities have seen limited exploits in the wild, so applying the update is highly recommended."
One of those bugs, a CSS-related vulnerability that affects all versions of Internet Explorer, was disclosed in late 2010 by a Google researcher. By early January, security firms reported that attackers were actively exploiting the bug.
Microsoft will also patch a zero-day vulnerability in the Windows Graphics Rendering Engine. Attackers could exploit the flaw using malicious thumbnail images, and execute arbitrary code at the user's permission level.
The third zero-day vulnerability to be patched is an FTP service bug, first acknowledged in December 2010, that affects Internet Information Service (IIS) 7.0 and 7.5, although not IIS Web Services. While attackers could exploit this vulnerability to create a denial of service, Microsoft said it was unlikely they could remotely execute code. Also, most organizations that use IIS likely won't be vulnerable, since IIS FTP service is not installed by default, and even when installed, not enabled by default.
The other forthcoming patches will address less-critical bugs affecting Microsoft Windows, Visual Studio, and Microsoft Office's Visio, versions 2002, 2003, and 2007.
All told, three of Microsoft's security bulletins rate as "critical," while nine are "important," meaning that they typically can't be used to remotely run exploit code.
Two zero-day exploits currently targeting Microsoft products, however, won't be addressed in Tuesday's security update. Notably, a recently disclosed vulnerability in MHTML affects all versions of Windows. Microsoft acknowledged the bug 10 days ago and released a temporary workaround while it develops a permanent fix.
In other vulnerability remediation news, Tuesday will also see the release of a new batch of patches from Adobe as part of its quarterly bug-fix release cycle. Adobe said it will patch critical vulnerabilities in Adobe Reader X (aka version 10) and earlier versions for Windows and Macintosh, and Adobe Acrobat X and earlier versions, likewise for Windows and Macintosh. Adobe said that while Reader 9.4.1 for Unix contains critical vulnerabilities too, it won't see a patch before the end of February.