Next week Microsoft will offer a dozen security bulletins designed to patch vulnerabilities in a range of products including Internet Explorer and Windows.And speaking of IE and Windows, according to preliminary information supplied by the software giant, the imminent patch packages will bring security updates for zero-day vulnerabilities affecting the two.
“This month, we'll release 12 bulletins, three of them rated Critical and nine rated Important, addressing issues in Microsoft Windows, Internet Explorer, Office, Visual Studio, and IIS. 22 issues will be addressed,” revealed Angela Gunn, Security Response Communications Manager, Trustworthy Computing, Microsoft.
“As part of this month's update, we'll be addressing issues related to two recent Security Advisories, 2490606 (a public vulnerability affecting the Windows Graphics Rendering Engine) and 2488013 (a public vulnerability affecting Internet Explorer).
“Additionally, we will be addressing an issue affecting FTP service in IIS 7.0 and 7.5. The bulletin release is once again slated for the second Tuesday of the month -- February 9th at 10:00 a.m. PST,” Gunn explained.
The Graphics Rendering Engine security flaw impacts all supported versions of Windows with the exception of Windows 7 and Windows Server 2008 R2.
Microsoft first confirmed this vulnerability at the start of January 2011, but it appears that even at this point in time there are no attacks targeting customers.
“An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
“Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft added.
The IE vulnerability however, reported by the software giant in late December 2010, is being used as an avenue for exploits in limited attacks.
“The vulnerability exists due to the creation of uninitialized memory during a CSS function within Internet Explorer. It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution,” the company explained.