Microsoft plans to patch critical Windows bug next week

But it's not ready to fix newest IE and Windows flaws

Microsoft today announced it would release just two security updates next week to patch three vulnerabilities in Windows.

One of the two was tagged with the "critical" label, Microsoft's highest threat ranking, while the other was marked "important." Microsoft typically assigns a critical rating to vulnerabilities that can be exploited with little or no action on the part of a user.

Both updates will patch flaws in Windows.

What Microsoft pegged as "Bulletin 1" in the advance notification it published today will affect only Windows Vista, while "Bulletin 2" will affect all still-supported versions of the OS, with the client editions -- XP, Vista and Windows 7 -- labeled critical and the server software rated important.

"The Vista one is confusing," said Andrew Storms, director of security operations at nCircle Security. "It's either something introduced in Vista but doesn't exist in Windows 7, or the component was rewritten for Windows 7."

Storms speculated that the flaw might be in a part of operating system that's little used, such as the task scheduler.

As for Bulletin 2, Microsoft's bare bones write-up -- typical of its advance warnings prior to Patch Tuesday -- also doesn't offer many clues.

"It's critical in all the desktop clients and important in the server, and consistent in the whole stack," said Storms, talking about Microsoft's threat ratings. "The difference in the criticality is confusing, and Microsoft's not giving us much to go on."

The bug(s) patched by Bulletin 2 are most likely in an operating system DLL (dynamic-link library), said Storms, perhaps a driver or database connector, that's crucial to the OS.

Next week's updates will be a far cry from last month's, when Microsoft issued a record 17 security bulletins and fixed 40 flaws, the second-largest number ever.

"I'll take it," said Storms, referring to the relatively easy Patch Tuesday next week compared to the monster update Microsoft pushed to customers in December.

Microsoft will not be patching either of the vulnerabilities that the company recently acknowledged -- and issued security advisories for -- said Carlene Chmaj, a spokeswoman for the Microsoft Security Response Center (MSRC), in a post Thursday to the team's blog . "We continue to actively monitor both vulnerabilities," she said.

Two weeks ago, Microsoft confirmed a critical bug in all versions of IE, including the newest production edition IE8, that hackers could exploit by convincing users to visit a malicious site. On Tuesday, the company acknowledged a serious flaw in Windows XP, Vista, Server 2003 and Server 2008.

Chmaj also confirmed that Microsoft has seen in-the-wild targeted attacks exploiting the IE bug. Microsoft typically releases an emergency, or "out-of-band," security update only if attacks spike.

Nonetheless, some researchers were surprised that Microsoft isn't addressing the two bugs next week.

"The big shock this month is that Microsoft is not addressing two security advisories that have already been weaponized," Josh Abraham, a researcher with Rapid7, said in an e-mail.

Storms wasn't so stunned.

"The only chance that they would have patched [the two outstanding bugs] is if they already knew about them months before," Storms said. "If anyone is surprised that [those bugs] are not being patched, they don't follow Microsoft's release cycles very closely."

It's possible, Storms admitted, that Microsoft may be forced to release an IE update a week or two early. That update, expected Feb. 8, would conceivably include not only a fix for the bug Microsoft confirmed Dec. 22, but also one for the vulnerability Google security engineer Michal Zalewski told Microsoft about last July.

"They probably have the first on the schedule for February already," said Storms.

Abraham anticipates an early IE update. "I would bet that if the malicious attackers start using the [public] exploits then we will see an out-of-band patch," he said.

Microsoft will release its two updates at approximately 1 p.m. ET on Jan. 11.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftoperating systemssoftwareWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Imou: At home with security

Modern living is all about functionality and security for everybody from the very young to the very old. With Imou anybody can enjoy smart life – the solution is at their fingertips.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?