Microsoft patches 22 holes and three zero-day flaws

Microsoft has released 12 security bulletins this month patching 22 flaws, including zero-day vulnerabilities in Windows, Internet Explorer and IIS.

February's Patch Tuesday sees three 'critical' updates in total, two for Windows and one for Internet Explorer.

The latter relates to a Cascading Style Sheet (CSS) issue and could allow remote code execution "if a user views a specially crafted web page using IE or if a user opens a legitimate HTML file that loads a specially crafted library file", according to the Microsoft Security Bulletin Summary for February 2011.

"Among the six previously public vulnerabilities fixed, the Internet Explorer CSS issue is the only one Symantec is seeing actively being used in attacks," said Joshua Talbot, security intelligence manager for Symantec Security Response.

"The attacks aren't extremely widespread, but we did recently see a spike in activity. IT managers should patch this right away, especially those that have not implemented the temporary workaround released last month."

Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, agreed that the IE update is the most important for IT managers to apply, but also highlighted the IIS flaw, which could allow remote code execution on IIS through the FTP service, and the Windows 'thumbnail' remote code execution vulnerability.

The third critical vulnerability in this month's line up addresses a flaw in the OpenType library, he added.

"Since OpenType is not used in IE, this important attack vector is closed off, forcing more complicated delivery schemes to be used - via zipped folders, for example - similar to this attack on MS11-006, " said Kandek.

"As third-party browsers can possibly be used in the exploitation of this flaw, we recommend including this patch in the high priority queue."

However, two zero-day exploits currently affecting Microsoft products have not been addressed, including the MHTML flaw that affects all versions of Windows.

"The scope and impact of the MHTML vulnerability is relatively limited compared to other recent zero-day code execution vulnerabilities," said Jim Walter, manager of the McAfee Threat Intelligence Service for McAfee Labs.

"Based on the information that is currently available, we are aware that successful exploitation could lead to the running of arbitrary scripts, as well as the disclosure of sensitive information."