Article

Microsoft to patch critical Windows flaw to block ongoing attacks

SearchSecurity.com Staff

Microsoft plans to issue two bulletins next week as part of its regular patching cycle, blocking a critical Windows vulnerability that it said is being actively targeted in the wild.

The security bulletins are scheduled to be released Jan. 11. The critical bulletin affects all supported versions of Windows. A bulletin rated "important" affects WIndows Vista.

Engineers are still preparing patches for the two new zero-day vulnerabilities that surfaced in recent weeks.

In its

    Requires Free Membership to View

advance notification to customers, the software giant said it would not be repairing serious Internet Explorer vulnerabilities. An IE zero-day vulnerability, which was reported on Dec. 9 by French security firm VUPEN, could be used by attackers in drive-by attacks, the firm warned. Proof-of-concept code was added Dec. 22 as a module to the Metasploit Framework. The zero-day flaw affects Internet Explorer 6, 7 and 8.

Wolfgang Kandek, chief technology officer of vulnerability management vendor Qualys Inc. said researchers are also discussing two other Internet Explorer zero-day vulnerabilities. "We expect Microsoft to acknowledged them soon," he wrote in an overview of the advance notification in his company's blog.

A hole in the Windows Graphics Rendering Engine, which surfaced this week will also remain open.

Microsoft said the vulnerability enables an attacker to use an embedded thumbnail image containing malicious code in drive-by attacks or by tricking a user to open a malicious Word or PowerPoint file. The vulnerability affects all versions of Windows except Windows 7 and Windows Server 2008 R2.

The vulnerability was demonstrated last month by security researchers at the Power of Community security conference in Korea. The maintainers of the Metasploit Framework created a module for the zero-day flaw Tuesday and Microsoft said it has begun detecting attacks targeting the vulnerability.

In December, Microsoft issued a record 17 security bulletins, repairing 40 vulnerabilities across its product line. The bulletins included patches that addressed seven critical flaws in both client-side software and server systems.

~Robert Westervelt


Editors' note: Microsoft will not be addressing the recent vulnerabilities that surfaced in Internet Explorer or the recent Windows Graphics Rendering Engine error. Information in the original story was incorrect.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: