Microsoft plans to issue two bulletins next week as part of its regular patching cycle, blocking a critical Windows vulnerability that it said is being actively targeted in the wild.
The security bulletins are scheduled to be released Jan. 11. The critical bulletin affects all supported versions of Windows. A bulletin rated "important" affects WIndows Vista.
Engineers are still preparing patches for the two new zero-day vulnerabilities that surfaced in recent weeks.
In its advance notification to customers, the software giant said it would not be repairing serious Internet Explorer vulnerabilities. An IE zero-day vulnerability, which was reported on Dec. 9 by French security firm VUPEN, could be used by attackers in drive-by attacks, the firm warned. Proof-of-concept code was added Dec. 22 as a module to the Metasploit Framework. The zero-day flaw affects Internet Explorer 6, 7 and 8.
Wolfgang Kandek, chief technology officer of vulnerability management vendor Qualys Inc. said researchers are also discussing two other Internet Explorer zero-day vulnerabilities. "We expect Microsoft to acknowledged them soon," he wrote in an overview of the advance notification in his company's blog.
A hole in the Windows Graphics Rendering Engine, which surfaced this week will also remain open.
Microsoft said the vulnerability enables an attacker to use an embedded thumbnail image containing malicious code in drive-by attacks or by tricking a user to open a malicious Word or PowerPoint file. The vulnerability affects all versions of Windows except Windows 7 and Windows Server 2008 R2.
The vulnerability was demonstrated last month by security researchers at the Power of Community security conference in Korea. The maintainers of the Metasploit Framework created a module for the zero-day flaw Tuesday and Microsoft said it has begun detecting attacks targeting the vulnerability.
In December, Microsoft issued a record 17 security bulletins, repairing 40 vulnerabilities across its product line. The bulletins included patches that addressed seven critical flaws in both client-side software and server systems.
Editors' note: Microsoft will not be addressing the recent vulnerabilities that surfaced in Internet Explorer or the recent Windows Graphics Rendering Engine error. Information in the original story was incorrect.