Microsoft to fix IE CSS and Windows Graphics vulnerabilites in February Patch Tuesday

By Tom Warren, on 3rd Feb 11 6:37 pm with 3 Comments

Microsoft announced on Thursday its bulletins for February 2011′s Patch Tuesday.

The software giant is planning to release 12 bulletins, three of them rated Critical and nine rated Important, to address issues in Windows, Internet Explorer, Office, Visual Studio and IIS. The company says it will fix a total of 22 vulnerabilities across its most popular products. Microsoft also confirmed it will patch two important flaws in Internet Explorer and Windows on Patch Tuesday. Microsoft recently warned of a publicly disclosed flaw affecting the Windows Graphics Rendering Engine on Vista, Server 2003 and Windows XP. The vulnerability is caused when the Windows Graphics Rendering Engine improperly parses a specially crafted thumbnail image, resulting in a stack overflow. Microsoft will be patching this vulnerability in February’s Patch Tuesday. Windows 7 is unaffected by the flaw.

Microsoft’s second un-patched vulnerability is a CSS issue with Internet Explorer. The issue is caused by a use-after-free error within the mshtml.dll library when processing webpages featuring CSS that use “@import” rules. Attacks can exploit the flaw by executing arbitary code via a specially crafted web page. The vulnerability affects Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3. Internet Explorer 6 and 7 are also affected on Windows XP SP3. Microsoft said on Thursday that it is planning to fix this vulnerability on Patch Tuesday.

Microsoft recently warned of an unpatched vulnerability in all supported versions of Windows. The vulnerability affects Windows XP, Vista, Windows 7 and all supported Windows Server releases. The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context. An attacker who successfully exploited this vulnerability could inject a client-side script in the user’s Internet Explorer instance. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

Microsoft has not confirmed when it plans to address the recent Windows vulnerability. Angela Gunn of Microsoft’s Trustworthy Computing team says the company hasn’t  ”seen any indications of active exploitation.” Microsoft is currently investigating the vulnerability and says it’s working on a security update to address the flaw.

  • Anonymous

    There are Windows graphics flaws?

    • Anonymous

      Ah i know which “graphics flaws” its talking about, they’re more of a graphics glitch

  • Joel

    How bout giving us a date on the wp7 update already, or how about something along the line of a “wp7 wednesday” to release the “nodo” update…. Still impatiently waiting..