Microsoft Plans 12 Security Fixes, 3 Critical, To Windows, IE, Visio

Microsoft on Thursday said in a security bulletin that it will release the updates, most of which require users restart their system, on Tuesday, February 8.

Microsoft typically updates the security of much of its operating system and application software products on the second Tuesday of every month in a ritual which has become known as "Patch Tuesday."

Of the 12 planned patches for next week, three are ranked as "critical." Microsoft defines critical vulnerabilities as those which "could allow the propagation of an Internet worm without user action." The other nine are ranked as "important."

Two of the three "critical" patches impact different versions of Microsoft's Windows operating system, and were identified by the vendor as impacting remote code execution. The third "critical" patch targets Microsoft's Internet Explorer.

Angela Gunn, a representative for Microsoft's Trustworth Computing program, wrote in a Microsoft Security Response Center blog post on Thursday that the two Windows "critical" patches are related, addressing a vulneratbilitly in the Windows Graphics Rendering issue. With that vulnerability, a successful attacker could run arbitrary code in the security context of the logged-on user. The third "critical" patch fixes a previously-reported vulnerability in Internet Explorer, Gunn wrote. That vulnerability could let an attacker host a Web site that contains a Web page opening the door for the attacker to getin the same user rights as the local user. It also impacts FTP server in IIS 7.0 and 7.5.

All the other patches except for one are ranked as "important" for the various Windows versions, and are related to remote code execution, denial of service, information disclosure, and elevation of privilege. The exception is an "important" patch to Microsoft Visio.

Microsoft said it also plans to release an updated version of its Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

This month's "Patch Tuesday" update is considerably more wide-ranging than last month's, when Microsoft squashed three bugs, one of which was considered "critical."

However, it is not as comprehensive as its December 14 "Patch Tuesday" action when Microsoft issued 17 patches to fix 40 security flaws.

Of the 17 patches, two were ranked critical, including one that fixed a zero-day flaw in IE 6, 7 and 8 already used in active attacks. That was Microsoft's largest patch release to date.