Microsoft's monthly update to include two zero-day fixes

Microsoft plans to push out 12 patches next week as part of its monthly security update – two of which will close publicly known vulnerabilities.

Three of the 12 bulletins are deemed "critical" by Microsoft, while the remaining nine earned an "important" designation, according to advance notification released Thursday. The patches address a total of 22 bugs in Windows, Internet Explorer (IE), Office, Visual Studio and Internet Information Service (IIS).

The update, scheduled to arrive Tuesday, will include a fix for a flaw in the Windows Graphics Rendering Engine that could lead to remote code execution, Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, wrote in a company blog post.

The vulnerability, revealed in December at a Korean hacker event, can enable an attacker to install malicious programs, access data or create accounts with full user rights, according to an advisory.

Also on the docket for repair is a gaping hole in all supported versions of IE, Gunn said. Exploit code has been published.

Gunn also revealed that Microsoft is prepping a fix for an issue affecting the FTP service in IIS versions 7.0 and 7.5.

Patches are due to be released Tuesday at 1 p.m EST.