Microsoft To Patch Three Vulnerabilities Tuesday

January's software update won't fix two zero-day bugs being exploited by attackers.

Mathew J. Schwartz, Contributor

January 7, 2011

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Top 10 Microsoft Stories Of 2010

Top 10 Microsoft Stories Of 2010


(click image for larger view)
Slideshow: Top 10 Microsoft Stories Of 2010

Microsoft is set to issue two security bulletins, collectively patching three vulnerabilities, as part of January's Patch Tuesday.

The first security bulletin, rated as "critical," affects all supported versions of Windows. The second, rated "important," affects Windows Vista. Attackers could exploit the vulnerabilities to execute remote code on a targeted computer. "As always, we recommend that customers deploy these updates as soon as possible," said Microsoft.

This month's Patch Tuesday, however, won't address two zero-day vulnerabilities which attackers are reportedly already actively exploiting.

On Tuesday, Microsoft confirmed a zero-day vulnerability that affects its graphics rendering engine, which an attacker could use to install programs, delete data, or create new user accounts. Microsoft also issued mitigation instructions, as well as a Fixit Button that home users and small businesses can use to mitigate the vulnerability.

Microsoft also released a suggested workaround for a zero-day CSS-related vulnerability that affects all versions of Internet Explorer. The flaw was recently disclosed by Google researcher Michal Zalewski, and later confirmed by French vulnerability research firm Vupen.

"The vulnerability exists due to the creation of uninitialized memory during a CSS function within Internet Explorer. It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution," said Microsoft.

According to Carlene Chmaj, senior response communications manager for Microsoft trustworthy computing, "we have started to see targeted attacks" using the CSS exploit.

Accordingly, beyond next week's Patch Tuesday, "there is also potential for further updates this month," said Qualys CTO Wolfgang Kandek."

Finally, there are two additional vulnerabilities currently being explored by security researchers. Both affect IE, and proof of concept attack code exists. "We expect Microsoft to acknowledge them soon," said Kandek.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

See more from Mathew J. Schwartz
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars

Editor's Choice

A woman sitting at a laptop and holding a mobile device, the screens of both displaying a green check mark in a circle
Cyberattacks & Data Breaches
Researchers Crack Microsoft Azure MFA in an HourResearchers Crack Microsoft Azure MFA in an Hour
byElizabeth Montalbano, Contributing Writer
Dec 11, 2024
4 Min Read
The words "zero-day" written in a line of code on a computer screen
Application Security
Microsoft NTLM Zero-Day to Remain Unpatched Until AprilMicrosoft NTLM Zero-Day to Remain Unpatched Until April
byJai Vijayan, Contributing Writer
Dec 9, 2024
3 Min Read
A patchwork quilt
Application Security
Actively Exploited Zero-Day, Critical RCEs Lead Microsoft Patch TuesdayMicrosoft Fixes Active Zero-Day, Critical RCEs on Patch Tuesday
byTara Seals, Managing Editor, News, Dark Reading
Dec 10, 2024
5 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers