Zero-day flaws remain unpatched, as Microsoft releases two bulletins for next week's Patch Tuesday
The first Patch Tuesday of 2011 will see Microsoft release only two bulletins to address three vulnerabilities in Windows.
Set for release on Tuesday 11th, the first bulletin is important and affects Windows Vista, while the second bulletin is rated as critical and all supported versions of Windows are affected.
Carlene Chmaj, senior response communications manager at Microsoft Trustworthy Computing, said: “This month we will not be releasing updates to address Security Advisory 2490606 (public vulnerability affecting Windows Graphics Rendering Engine) and Security Advisory 2488013 (public vulnerability affecting Internet Explorer).
“We continue to actively monitor both vulnerabilities and for Advisory 2488013 we have started to see targeted attacks. If customers have not already, we recommend they consult the advisory for the mitigation recommendations.”
Alan Bentley, SVP at Lumension, said: “After December's mammoth Patch Tuesday, which saw 17 patches fix over 40 vulnerabilities, security professionals might be breathing a sigh of relief at the few patches they have to deal with this month.
“However, I doubt there will be many putting their feet up just yet. Although Microsoft has acknowledged the Internet Explorer and Windows Graphics Rendering Engine zero-day issues, there is seemingly nothing addressing these critical vulnerabilities in the upcoming release. Microsoft has instead focused on releasing an ‘important' patch for Windows Vista and a ‘critical' patch for all versions of Windows that will fix three holes in its operating systems.”
Wolfgang Kandek, CTO at Qualys, predicted that the two open zero-day flaws would be fixed this month especially as the security community is discussing the additional vulnerabilities in Internet Explorer, while proof of concept code exists.
“Microsoft is working on some helpful guidelines for the risk assessment of the current advisories and the open zero-days. Their highest priority is the Internet Explorer issue which has a suggested workaround of using EMET, the Windows Explorer ‘thumbnail' issue can be addressed by setting the permissions on the DLL in question, which is easy to do and has only a very limited usability impact (instead of displaying thumbnails of image files Explorer will only show generic icons),” he said.