Microsoft To Patch Three Zero Day Vulnerabilities Tuesday will bring 22 fixes from Microsoft, as well as Adobe patches for Acrobat and Reader.
By Mathew J. Schwartz
February 7, 2011 10:54 AM
Microsoft's February Patch Tuesday will see the release this week of 12 security bulletins, patching a total of 22 vulnerabilities, including three that could be exploited via zero-day attacks.
According to Wolfgang Kandek, CTO of Qualys, "these vulnerabilities have seen limited exploits in the wild, so applying the update is highly recommended."
One of those bugs, a CSS-related vulnerability that affects all versions of Internet Explorer, was disclosed
in late 2010 by a Google researcher. By early January, security firms reported that attackers were actively exploiting the bug.
Microsoft will also patch a zero-day vulnerability in the Windows Graphics Rendering Engine
. Attackers could exploit the flaw using malicious thumbnail images, and execute arbitrary code at the user's permission level.
The third zero-day vulnerability to be patched is an FTP service bug, first acknowledged in December 2010, that affects Internet Information Service (IIS) 7.0 and 7.5, although not IIS Web Services. While attackers could exploit this vulnerability to create a denial of service, Microsoft said it was unlikely they could remotely execute code. Also, most organizations that use IIS likely won't be vulnerable, since IIS FTP service is not installed by default, and even when installed, not enabled by default.