Microsoft to release three patches next week, but no patch for Internet Explorer zero-day flaw

News by Dan Raywood

Microsoft is to release three updates to address 11 vulnerabilities on its Patch Tuesday for November.

Microsoft is to release three updates to address 11 vulnerabilities on its Patch Tuesday for November.

The patches include one critical issue and one important issue in Microsoft Office and one important vulnerability in its Unified Access Gateway (UAG).

Wolfgang Kandek, CTO of Qualys, said: “A ‘critical' rating on an Office program is fairly rare, most vulnerabilities on the Office suite are categorised as ‘important' because they typically require user interaction to get a successful exploitation.

“Critical here indicates a vulnerability that can be used to take control of the target machine without user interaction, such as MS10-064, where visualising an email in Outlook's preview pane was sufficient to trigger the flaw.”

Alan Bentley, SVP International at Lumension, said: “Following the biggest patch Tuesday on record last month, Microsoft is catching its breath with just three bulletins to be issued for November. Only one is critical, but all three may require a restart.

“So it might be a quieter month on the Microsoft front, but IT managers will still have their hands relatively full with a number of other notable patches from Adobe, Mozilla and Linux to contend with.”

Bentley also referenced the zero-day flaw which affects three versions of Internet Explorer, which while active in the wild is still unpatched. Microsoft said that it has released a workaround to the flaw and that it takes this action very seriously and where possible, will take legal action against those responsible.

Jerry Bryant, group manager of response communications at Microsoft's Trustworthy Computing Group, said: “We are working to develop a security update to address this attack against our customers. The issue does not meet the criteria for an out-of-band release. However, we are monitoring the threat landscape very closely and if the situation changes, we will post updates on the MSRC blog.”

Bentley said: “This could leave many users waiting for more than a month before they know they are fully protected from this threat, because a workaround typically is not implemented by the majority of users. On the run up to Christmas, with industry experts predicting online shopping in the UK to increase by 23 per cent from 2009, it seems rather surprising that Microsoft have not prioritised a patch.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews