Microsoft have announced that it is going to fix 22 vulnerabilities next week across a range of 12 security updates next week. These will target Windows, Internet Explorer, Internet Server and Visio, the companies data diagramming tool.
Microsoft also have announced that patches will be released for three bugs it has already acknowledged, and one that criminals have been exploiting for weeks.
Andrew Storms, director of security operations for nCircle Security has said “The big news is that there are three zero-days that are being patched.” These three significant vulnerabilities include one within Internet Explorer, one in IIS (Internet Information Server) and the last in Window's rendering of thumbnail images.
Microsoft stated that they were aware of the bug on December 22nd 2010, several weeks after French security firm Vupen issues a bare bones advisory that said all versions of Internet Explorer including V8 were open to the vulnerability. Microsoft then said they were aware attackers were already exploiting the bug.
The Windows bug is unusual in that it is related to the graphic engines rendering of thumbnail images inside folders. The bug was disclosed Mid december at a South Korean security conference. Microsoft said they would not release an emergency fix for this. Last month Microsoft listed five unfixed flaws and are finally addressing three of these next week.
KitGuru says: better late than never.