Microsoft will issue 12 bulletins, three critical next week as part of its regularly scheduled Patch Tuesday round of updates, repairing holes across its product line.
In its February Advance Notification,
Included in the February batch of patches is an update to repair a publicly disclosed vulnerability in its Windows Graphics Rendering Engine, which could be used in drive-by attacks. The flaw is in the way Windows accesses an object to run an application. A malicious thumbnail image can cause the Graphics Rendering Engine to fail. The maintainers of the Metasploit Framework created a module for the zero-day flaw last month, though there have been no reports of ongoing attacks targeting the vulnerability.
Microsoft is also addressing a serious memory bug in Internet Explorer that could be used by attackers to remotely execute malicious files. The flaw is in the Cascading Style Sheet (CSS) function within Internet Explorer surfaced in late December. An automated fix-it was issued and temporarily prevents the recursive loading of CSS stylesheets.
Alan Bentley, a senior vide president at Lumension Security Inc., which specialises in endpoint security patch management, warned that the Internet Explorer patch will need to be handled carefully.
"With such a significant patch, IT departments across the world will be undergoing a mass reboot," he said. "As we know from experience, reboots of this magnitude have been known to upset services and applications so it's possible we will see similar problems to what we encountered in 2007, when a large Microsoft patch that required a reboot crippled applications, Skype in particular."
On the same day, Adobe Systems Inc. said it will release critical patches for flaws in both Adobe Reader and Acrobat. The new release cover Adobe Reader X (10.0) for Windows and Macintosh; Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX; Adobe Acrobat X (10.0) for Windows and Macintosh and Adobe Acrobat 9.4.1 and earlier versions for Windows and Macintosh.
The company says it expects to make updates for Windows and Macintosh available Feb 8. The update for UNIX should be ready by the week of Feb 28.
~Robert Westervelt and Ron Condon