Microsoft to patch critical Windows flaw to block ongoing attacks

Article

Microsoft to patch critical Windows flaw to block ongoing attacks

Staff, SearchSecurity.com

Microsoft plans to issue two bulletins next week as part of its regular patching cycle, blocking a critical Windows vulnerability that it said is being actively targeted in the wild.

The security bulletins are scheduled to be released Jan. 11. The critical bulletin affects all supported versions of Windows. A bulletin rated "important" affects WIndows Vista.

Engineers are still preparing patches for the two new zero-day vulnerabilities that surfaced in recent weeks.

In its advance notification to customers, the software giant said it would not be repairing serious Internet Explorer vulnerabilities. An IE zero-day vulnerability, which was reported on Dec. 9 by French security firm VUPEN, could be used by attackers in drive-by attacks, the firm warned. Proof-of-concept code was added Dec. 22 as a module to the Metasploit Framework. The zero-day flaw affects Internet Explorer 6, 7 and 8.

Wolfgang Kandek, chief technology officer of vulnerability management vendor Qualys Inc. said researchers are also discussing two other Internet Explorer zero-day vulnerabilities. "We expect Microsoft to acknowledged them soon," he wrote in an overview of the advance notification in his company's

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

blog.

A hole in the Windows Graphics Rendering Engine, which surfaced this week will also remain open.

Microsoft said the vulnerability enables an attacker to use an embedded thumbnail image containing malicious code in drive-by attacks or by tricking a user to open a malicious Word or PowerPoint file. The vulnerability affects all versions of Windows except Windows 7 and Windows Server 2008 R2.

The vulnerability was demonstrated last month by security researchers at the Power of Community security conference in Korea. The maintainers of the Metasploit Framework created a module for the zero-day flaw Tuesday and Microsoft said it has begun detecting attacks targeting the vulnerability.

In December, Microsoft issued a record 17 security bulletins, repairing 40 vulnerabilities across its product line. The bulletins included patches that addressed seven critical flaws in both client-side software and server systems.

~Robert Westervelt


Back to top