Microsoft closes critical holes in Windows, IE and IIS
Twelve patches to close a total of 22 security holes – that's the outcome of Microsoft's February Patch Tuesday. While the patches solve the known problems in Internet Explorer and Windows, some of which are already being actively exploited, the security holes in Microsoft Office recently disclosed by the ZDI remain open.
The most important vulnerabilities are covered by bulletin MS11-003 for Internet Explorer and bulletin MS11-006 for the Windows Shell graphics processor. Both holes have been rated critical and code to exploit them is already in circulation on the net. Microsoft has also rated the holes in the OpenType Compact Font Format driver (CFF, MS11-007) as critical.
Users who run an FTP server with Internet Information Services (IIS 7.0 and 7.5) should take a look at bulletin MS11-004. A server crash can reportedly be triggered through the use specific packets; Microsoft doesn't rule out the possibility that the hole could potentially be exploited to take control of a server.
The update for Microsoft Visio (MS11-008) is only rated "important" because related exploits require users to open a specially crafted document. An overview of the remaining holes with a rating of "important" is available in Microsoft's February Patch Tuesday summary and in a table provided by the Internet Storm Center.