Microsoft to patch 22 bugs, 3 zero-days next week

Gets around to fixing IE flaw that hackers are already exploiting

Microsoft today said it will issue 12 security updates next week to patch 22 vulnerabilities in Internet Explorer (IE), Windows, its Internet server and Visio, the company's data diagramming tool.

The company also announced it will provide patches next Tuesday for three bugs it has already acknowledged, including one that has been exploited by criminals for several weeks.

"The big news is that there are three zero-days that are being patched," said Andrew Storms, director of security operations at nCircle Security, talking about the trio of confirmed flaws.

Of the three unpatched-but-admitted vulnerabilities, one is in IE, a second is in Windows' rendering of thumbnail images and the third is in IIS (Internet Information Server), Microsoft's popular Web server software.

Microsoft acknowledged the IE bug on Dec. 22, several weeks after French security firm Vupen issued a bare-bones advisory that said all versions of IE, including 2009's IE8, were vulnerable. Shortly after that, Microsoft warned users that attackers were exploiting the bug.

The Windows flaw is in the graphics engine's rendering of thumbnail images inside folders. The bug was disclosed in mid-December 2010 at a South Korean security conference, and Microsoft published an advisory Jan. 4. At the time, the company said it would not release an emergency, or "out-of-band" patch for the problem.

Also in early January, Microsoft took the unusual step of listing the known bugs that it had yet to patch, detailing five unfixed flaws. Next week's updates will address three of those five.

"They're patching the red, orange and yellow," said Storms, referring to the color codes assigned by Jonathan Ness , an engineer with the Microsoft Security Response Center (MSRC).

"That's good news, great news," Storms continued.

Some vulnerabilities Microsoft has conceded will not be patched next week, however, including a flaw in the MHTML (MIME HTML) protocol handler that the company confirmed only last Friday . Security experts last week were unanimous in betting that the MHTML vulnerability would not be fixed with this month's round of updates.

Of the dozen updates expected next week, three will be labeled "critical," Microsoft's highest threat ranking, while the remaining nine will be marked "important." Microsoft typically assigns a critical rating to vulnerabilities that can be exploited with little or no action on the part of a user.

This year's February patch batch is slightly smaller than 2010's, when Microsoft shipped 13 security updates that quashed 25 bugs

The majority of the updates -- 10 of the 12 -- affect Windows, with one of those addressing the IIS 7.0 and IIS 7.5 denial-of-service vulnerability in Windows 7 and Windows Server 2008 R2. The other two will fix one or more flaws in IE and Visio.

Storms said that it's a "safe bet" to assume the Visio update will tackle a file format bug.

It was tough to glean any clues about what specific components Microsoft will patch next week from the advance notification's limited information, added Storms. "With 12 bulletins, it's pretty difficult to guess at what the others will include," he said.

"It's going to be a big day for everybody," Storms said. "It'll be interesting at the end of the day what applications are involved."

Even so, he speculated that one of the updates -- marked today only as "Bulletin 4" -- may address a kernel bug in Windows Vista and Windows 7, as well as Windows Server 2008 and 2008 R2. According to Microsoft, Bulletin 4 will not affect the older Windows XP and Windows Server 2003, the reason Storms pegged the kernel, which Microsoft revamped in Vista and later editions, as a potential suspect.

Last month, Microsoft patched a bug in Vista only that was attributed to the operating system's Backup Manager. That update was the seventh Microsoft has released to repair "DLL load hijacking" or "binary planting" vulnerabilities that researchers disclosed last August .

Microsoft will release the 12 updates at approximately 1 p.m. ET on Feb. 8.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon