Microsoft on Tuesday released 12 patches to correct 22 vulnerabilities, including two zero-day bugs, as part of its February security update.
Most experts designated the priority patch to be bulletin MS11-003, which fills four holes, three rated "critical" and one "important," in Internet Explorer. One of the vulnerabilities fixed is publicly known, affecting all supported versions of the browser. Exploit code was posted shortly after Microsoft revealed the flaw in December.
"Even though the attacks have been limited, this vulnerability needs to be patched immediately as future attacks are likely," said Jason Miller, data team manager at Shavlik Technologies, which makes vulnerability management products.
Another major fix is MS11-006, which resolves another publicly known vulnerability, this one in the Windows Shell graphics processor and impacting Windows XP, Vista, Server 2003, and Server 2008. So far, Microsoft has not seen any active attacks.
"The vulnerability could allow remote code execution if a user views a specially crafted thumbnail image," according to the advisory. "An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Finally, Microsoft recommends administrators prioritize MS11-007, which addresses a single vulnerability in the Windows OpenType Compact Font Format (CFF) driver.
Aside from the remaining nine patches, which drew "important" ratings, Microsoft also announced plans to push out an update to AutoRun, described in an advisory originally released in February 2009, as part of Windows Update. Malware that propagates via the AutoRun capability has become more common in recent months.
"Windows 7 already disables AutoRun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction," Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, wrote in a Tuesday blog post. "With the change to the advisory, earlier versions of Windows that receive their updates automatically via Windows Update 'AutoUpdate' will now gain that security-conscious functionality as well."
Microsoft failed to patch any of the five vulnerabilities revealed on Monday by TippingPoint's Zero Day Initiative, which promised roughly six months ago to disclose as soon as Feb. 4 any unfixed bugs that had been reported to the bounty service.
Microsoft reportedly was planning to patch the flaws in Tuesday's update but pulled them for quality assurance reasons.
Also on Tuesday, Adobe patched 68 flaws across its Reader and Acrobat, ColdFusion, Shockwave Player and Flash Player product lines.
