Microsoft to Issue Just Two Bulletins in January Patch Tuesday

Microsoft plans to issue just two patches in its monthly scheduled release next Tuesday. Both of the bugs that Microsoft will fix are in Windows and one of them is rated critical, but it doesn't appear the company will patch the Internet Explorer bugs that have been publicly disclosed.

January's Patch Tuesday release represents one of the smaller ones in recent memory. It will includes just two bulletins, one for a critical flaw in Windows and another for an important bug. Microsoft has been issuing huge numbers of bulletins in the last few months, with October's Patch Tuesday being the largest one since the company established its regular release schedule. That month Microsoft released 16 bulletins that covered a total of 49 vulnerabilities.

Just two months later, in December, Microsoft released another major update, this one comprising 17 bulletins with patches for 40 vulnerabilities. January 2010 also was a light month for Microsoft patches, with the company issuing just one fix, for a critical bug in Windows, along with a cumulative patch release for Internet Explorer. Things picked up quickly after that though, with Microsoft issuing 13 bulletins the following month.

It does not appear that Microsoft will be patching any of the known vulnerabilities in Internet Explorer that have cropped recently, including the one that researcher Michael Zalewski identified and publicized earlier this week. Zalewski found the flaw with a tool he's written called cross_fuzz, which also identified bugs in a number of other browsers. Zalewski said that he notified Microsoft about Cross_fuzz and the crashes that it had caused in IE in July. He had some communications with the MSRC over the next month or so, but the crashes were never resolved. He then pinged the company's security staff again in December, in anticipation of the release of the fuzzer, and the company asked him to delay the release, which he refused to do, according to Zalewski's timeline of his correspondence with the MSRC.

One of the exploitable crashes that Zalewski identified in IE appears to have been independently discovered by someone in China, who then wound up stumbling upon a page on cross_fuzz that was accidentally left publicly accessible, Zalewski said.

"While working on addressing cross_fuzz crashes in WebKit prior to this announcement, one of the developers accidentally leaked the address of the fuzzer in one of the uploaded crash traces. As a result, the fuzzer directory, including msie_crash.txt, has been indexed by GoogleBot." he wrote. "I have confirmed that following this accident, no other unexpected
parties discovered or downloaded the tool. That said, on December 30, I received the following search queries from an IP address in China -which matched keywords mentioned in one of the indexed cross_fuzz files.

"The pattern is very strongly indicative of an independent discovery of the same vulnerability in MSIE using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely."

Microsoft has disputed Zalewski's version of events, saying that even though they got the cross_fuzz tool in July, they weren't able to reproduce the exploitable crash until much later.

"At the time, neither Microsoft or the Google security researcher identified any issues. On December 21, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version. We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable. At this point, we’re not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes," Jerry Bryant, group manager in the Trustworthy Computing Group at Microsoft said in an email.

"Security is an industry wide issue and Microsoft is committed to working with researchers and/or the companies who employ them, when they discover potential vulnerabilities and this case is no exception. Working with software vendors to address potential vulnerabilities in their products before details are made public, reduces the overall risk to customers. In this case, risk has now been amplified."

There's also another known vulnerability affecting IE 6, 7 and 8 that Microsoft has not patches as of yet.

Commenting on this Article is closed.