In advance of next week’s Patch Tuesday, Microsoft has given advance notice that the company intends to address a total of 22 security issues in its next Patch Tuesday update covering everything from Windows and Internet Explorer to Microsoft Office, Visual Studio, and its IIS server application. In all Microsoft will issue 12 bulletins, covering nine issues the company considers Important and three rated “critical.”
Among the critical fixes will be patches for a zero-day flaw in the Windows Graphics Rendering Engine that began appearing in the wild back in January that enables attackers to take control over a PC using an specially-crafted image on a Web site or embedded in a Word or PowerPoint document. The update will also fix a remote code execution bug with CSS handling in Internet Explorer, along with zero-day exploits against the FTP server included with IIS.
However, Patch Tuesday will not include a fix for recently-uncovered script injection attacks against Internet Explorer that could potentially be used to spoof content, harvest user information, or install malware on a user’s machine. For now, the best defense against the exploit is locking down the MTHML protocol (involves registry editing), setting Internet and Local Intranet security setting to “high”, or configuring IE to block (or prompt to run) Active Scripting for Internet and Local Intranet zones.