Microsoft patchMicrosoft plans to issue just two patches in its monthly scheduled release next Tuesday. Both of the bugs that Microsoft will fix are in Windows and one of them is rated critical, but it doesn’t appear the company will patch the Internet Explorer bugs that have been publicly disclosed.

January’s Patch Tuesday release represents one of the smaller ones in recent memory. It will includes just two bulletins, one for a critical flaw in Windows and another for an important bug. Microsoft has been issuing huge numbers of bulletins in the last few months, with October’s Patch Tuesday being the largest one since the company established its regular release schedule. That month Microsoft released 16 bulletins that covered a total of 49 vulnerabilities.

Just two months later, in December, Microsoft released another major update, this one comprising 17 bulletins with patches for 40 vulnerabilities. January 2010 also was a light month for Microsoft patches, with the company issuing just one fix, for a critical bug in Windows, along with a cumulative patch release for Internet Explorer. Things picked up quickly after that though, with Microsoft issuing 13 bulletins the following month.

It does not appear that Microsoft will be patching any of the known
vulnerabilities in Internet Explorer that have cropped recently,
including the one that researcher Michael Zalewski identified and
publicized earlier this week. Zalewski found the flaw with a tool he’s
written called cross_fuzz,
which also identified bugs in a number of other browsers. Zalewski said
that he notified Microsoft about Cross_fuzz and the crashes that it had
caused in IE in July. He had some communications with the MSRC over the
next month or so, but the crashes were never resolved. He then pinged
the company’s security staff again in December, in anticipation of the
release of the fuzzer, and the company asked him to delay the release,
which he refused to do, according to Zalewski’s timeline of his correspondence with the MSRC.

One of
the exploitable crashes that Zalewski identified in IE appears to have
been independently discovered by someone in China, who then wound up
stumbling upon a page on cross_fuzz that was accidentally left publicly
accessible, Zalewski said.

“While working on addressing cross_fuzz
crashes in WebKit prior to this announcement, one of the developers
accidentally leaked the address of the fuzzer in one of the uploaded
crash traces. As a result, the fuzzer directory, including
msie_crash.txt, has been indexed by GoogleBot.” he wrote. “I have
confirmed that following this accident, no other unexpected
parties discovered or downloaded the tool. That said, on December 30, I
received the following search queries from an IP address in China -which
matched keywords mentioned in one of the indexed cross_fuzz files.

“The pattern is very strongly indicative of an independent discovery of the same vulnerability in MSIE using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely.”

Microsoft has disputed Zalewski’s version of events, saying that even though they got the cross_fuzz tool in July, they weren’t able to reproduce the exploitable crash until much later.

“At the time, neither Microsoft or
the Google security researcher identified any issues. On December 21, a new
version of the tool was reported to us along with information about a
potentially exploitable crash found by the new version. We immediately worked
to reproduce the issue with the updated and original tool and are currently
investigating it further to determine if it is actually exploitable. At this
point, we’re not aware of any exploits or attacks for the reported issue and
are continuing to investigate and monitor the threat environment for any
changes,” Jerry Bryant, group manager in the Trustworthy Computing Group at Microsoft said in an email.

“Security is an industry wide issue and Microsoft is
committed to working with researchers and/or the companies who employ them,
when they discover potential vulnerabilities and this case is no exception.
Working with software vendors to address potential vulnerabilities in their
products before details are made public, reduces the overall risk to customers.
In this case, risk has now been amplified.”

There’s also another known vulnerability affecting IE 6, 7 and 8 that Microsoft has not patches as of yet.

Categories: Vulnerabilities