Microsoft today said it will affair 12 aegis updates abutting anniversary to application 22 vulnerabilities in Internet Explorer (IE), Windows, its Internet server and Visio, the company's abstracts diagramming tool.
The aggregation additionally appear it will accommodate patches abutting Tuesday for three bugs it has already acknowledged, including one that has been exploited by abyss for several weeks.
"The big account is that there are three zero-days that are actuality patched," said Andrew Storms, administrator of aegis operations at nCircle Security, talking about the leash of accepted flaws.
Of the three unpatched-but-admitted vulnerabilities, one is in IE, a additional is in Windows' apprehension of thumbnail images and the third is in IIS (Internet Advice Server), Microsoft's accepted Web server software.
Microsoft accustomed the IE bug on Dec. 22, several weeks afterwards French aegis close Vupen issued a bare-bones advising that said all versions of IE, including 2009's IE8, were vulnerable. Shortly afterwards that, Microsoft warned users that attackers were base the bug.
The Windows blemish is in the cartoon engine's apprehension of thumbnail images central folders. The bug was appear in mid-December 2010 at a South Korean aegis conference, and Microsoft appear an advising Jan. 4. At the time, the aggregation said it would not absolution an emergency, or "out-of-band" application for the problem.
Also in aboriginal January, Microsoft took the abnormal footfall of advertisement the accepted bugs that it had yet to patch, account bristles boundless flaws. Abutting week's updates will abode three of those five.
"They're patching the red, orange and yellow," said Storms, apropos to the blush codes assigned by Jonathan Ness, an architect with the Microsoft Aegis Response Center (MSRC).
"That's acceptable news, abundant news," Storms continued.
Some vulnerabilities Microsoft has conceded will not be patched abutting week, however, including a blemish in the MHTML (MIME HTML) agreement abettor that the aggregation accepted alone aftermost Friday. Aegis experts aftermost anniversary were accepted in activity that the MHTML vulnerability would not be anchored with this month's annular of updates.
Of the dozen updates accepted abutting week, three will be labeled "critical," Microsoft's accomplished blackmail ranking, while the actual nine will be apparent "important." Microsoft about assigns a analytical appraisement to vulnerabilities that can be exploited with little or no activity on the allotment of a user.
This year's February application accumulation is hardly abate than 2010's, back Microsoft alien 13 aegis updates that quashed 25 bugs
The majority of the updates -- 10 of the 12 -- affect Windows, with one of those acclamation the IIS 7.0 and IIS 7.5 denial-of-service vulnerability in Windows 7 and Windows Server 2008 R2. The added two will fix one or added flaws in IE and Visio.
Storms said that it's a "safe bet" to accept the Visio amend will accouterment a book architecture bug.
It was boxy to accumulate any clues about what specific apparatus Microsoft will application abutting anniversary from the beforehand notification's bound information, added Storms. "With 12 bulletins, it's appealing difficult to assumption at what the others will include," he said.
"It's activity to be a big day for everybody," Storms said. "It'll be absorbing at the end of the day what applications are involved."
Even so, he speculated that one of the updates -- apparent today alone as "Bulletin 4" -- may abode a atom bug in Windows Vista and Windows 7, as able-bodied as Windows Server 2008 and 2008 R2. According to Microsoft, Bulletin 4 will not affect the earlier Windows XP and Windows Server 2003, the acumen Storms called the kernel, which Microsoft revamped in Vista and after editions, as a abeyant suspect.
Last month, Microsoft patched a bug in Vista alone that was attributed to the operating system's Backup Manager. That amend was the seventh Microsoft has appear to adjustment "DLL amount hijacking" or "binary planting" vulnerabilities that advisers appear aftermost August.
Microsoft will absolution the 12 updates at about 1 p.m. ET on Feb. 8.
The aggregation additionally appear it will accommodate patches abutting Tuesday for three bugs it has already acknowledged, including one that has been exploited by abyss for several weeks.
"The big account is that there are three zero-days that are actuality patched," said Andrew Storms, administrator of aegis operations at nCircle Security, talking about the leash of accepted flaws.
Of the three unpatched-but-admitted vulnerabilities, one is in IE, a additional is in Windows' apprehension of thumbnail images and the third is in IIS (Internet Advice Server), Microsoft's accepted Web server software.
Microsoft accustomed the IE bug on Dec. 22, several weeks afterwards French aegis close Vupen issued a bare-bones advising that said all versions of IE, including 2009's IE8, were vulnerable. Shortly afterwards that, Microsoft warned users that attackers were base the bug.
The Windows blemish is in the cartoon engine's apprehension of thumbnail images central folders. The bug was appear in mid-December 2010 at a South Korean aegis conference, and Microsoft appear an advising Jan. 4. At the time, the aggregation said it would not absolution an emergency, or "out-of-band" application for the problem.
Also in aboriginal January, Microsoft took the abnormal footfall of advertisement the accepted bugs that it had yet to patch, account bristles boundless flaws. Abutting week's updates will abode three of those five.
"They're patching the red, orange and yellow," said Storms, apropos to the blush codes assigned by Jonathan Ness, an architect with the Microsoft Aegis Response Center (MSRC).
"That's acceptable news, abundant news," Storms continued.
Some vulnerabilities Microsoft has conceded will not be patched abutting week, however, including a blemish in the MHTML (MIME HTML) agreement abettor that the aggregation accepted alone aftermost Friday. Aegis experts aftermost anniversary were accepted in activity that the MHTML vulnerability would not be anchored with this month's annular of updates.
Of the dozen updates accepted abutting week, three will be labeled "critical," Microsoft's accomplished blackmail ranking, while the actual nine will be apparent "important." Microsoft about assigns a analytical appraisement to vulnerabilities that can be exploited with little or no activity on the allotment of a user.
This year's February application accumulation is hardly abate than 2010's, back Microsoft alien 13 aegis updates that quashed 25 bugs
The majority of the updates -- 10 of the 12 -- affect Windows, with one of those acclamation the IIS 7.0 and IIS 7.5 denial-of-service vulnerability in Windows 7 and Windows Server 2008 R2. The added two will fix one or added flaws in IE and Visio.
Storms said that it's a "safe bet" to accept the Visio amend will accouterment a book architecture bug.
It was boxy to accumulate any clues about what specific apparatus Microsoft will application abutting anniversary from the beforehand notification's bound information, added Storms. "With 12 bulletins, it's appealing difficult to assumption at what the others will include," he said.
"It's activity to be a big day for everybody," Storms said. "It'll be absorbing at the end of the day what applications are involved."
Even so, he speculated that one of the updates -- apparent today alone as "Bulletin 4" -- may abode a atom bug in Windows Vista and Windows 7, as able-bodied as Windows Server 2008 and 2008 R2. According to Microsoft, Bulletin 4 will not affect the earlier Windows XP and Windows Server 2003, the acumen Storms called the kernel, which Microsoft revamped in Vista and after editions, as a abeyant suspect.
Last month, Microsoft patched a bug in Vista alone that was attributed to the operating system's Backup Manager. That amend was the seventh Microsoft has appear to adjustment "DLL amount hijacking" or "binary planting" vulnerabilities that advisers appear aftermost August.
Microsoft will absolution the 12 updates at about 1 p.m. ET on Feb. 8.