Microsoft today said it will issue 12 security updates next week to patch 22 vulnerabilities in Internet Explorer (IE), Windows, its Internet server and Visio, the company's data diagramming tool.

The company also announced it will provide patches next Tuesday for three bugs it has already acknowledged, including one that has been exploited by criminals for several weeks.

"The big news is that there are three zero-days that are being patched," said Andrew Storms, director of security operations at nCircle Security, talking about the trio of confirmed flaws.

Of the three unpatched-but-admitted vulnerabilities, one is in IE, a second is in Windows' rendering of thumbnail images and the third is in IIS (Internet Information Server), Microsoft's popular Web server software.

Microsoft acknowledged the IE bug on Dec. 22, several weeks after French security firm Vupen issued a bare-bones advisory that said all versions of IE, including 2009's IE8, were vulnerable. Shortly after that, Microsoft warned users that attackers were exploiting the bug.

Full story: Computerworld