Two Windows Zero-Day Vulnerabilities to Be Patched on Tuesday

Microsoft is preparing a monster batch of patches for next Tuesday, which will include fixes for two Windows vulnerabilities already known for a couple of months.

In total, Microsoft will release 17 security bulletins that will cover a total of 64 vulnerabilities in Windows, Office, Internet Explorer and other products.

Nine bulletins are rated as critical and eight as important, meaning that administrators will have a lot of work on their hands with testing, prioritizing and deploying patches accros their networks.

One vulnerability for which Microsoft will finally provide a fix is located in the MIME Encapsulation of Aggregate HTML (MHTML) protocol handler.

The flaw, identified as CVE-2011-0096, was originally disclosed in a Chinese-language hacking webzine back in January and affects all supported version of Windows.

Proof-of-concept exploit code was published for nine different attack scenarios, including server-side and local cross-site scripting launched from maliciously crafted PDF or Word files.

Microsoft didn't address the vulnerability rated as "important" in February or March, despite limited attacks being observed in the wild. It did, however, release a "Fix it" tool to temporarily mitigate the risks by prompting a permission dialog before opening MHTML links in IE.

The second zero-day vulnerability to be patched is rated as critical and concerns the SMB Browser protocol used to discover computers and resources on local networks.

This flaw was disclosed by an anonymous researcher in mid-February and confirmed by Microsoft soon afterwards. However, the Microsoft's security research team concluded that while remote code execution is theoretically possible, developing an exploit for this purpose is unlikely.

"To this day, we have seen no evidence of attacks," says Pete Voss, senior response communications manager with Microsoft's Trustworthy Computing group. As usual, an advanced notification page containing information about the upcoming security bulletins has been published.