Microsoft plans to release a pair of critical bulletins on Tuesday for its first round of 2013 monthly security updates, but still has no announcement regarding a patch for the zero day vulnerability and exploit in Internet Explorer reported over the Christmas holiday.
Users are urged to apply a Fix It released Dec. 31 for the vulnerability in IE 6, 7 and 8 that was at the heart of an attack on the Council on Foreign Relations website as well as that of energy manufacturer Capstone Turbine Corp. Dustin Childs, Trustworthy Computing group manager, reiterated that Microsoft is working on a patch and the impact of the attack is limited. It’s possible we will see an out-of-band patch prior to the February Patch Tuesday updates.
In the meantime, Windows admins will have seven bulletins to contend with on Tuesday that will address a dozen vulnerabilities in Windows, Office, Developer Tools, .NET and Microsoft Server Software, the company’s advisory said.
The first of two critical bulletins affects all Windows and Office versions and some server software while the second is for Windows 7 and Windows Server 2008 R2 only. Both vulnerabilities would enable an attacker to remotely execute code on a vulnerable Windows machine.
“It is likely that it is a vulnerability in one of the base libraries of Windows that is widely used, such as Windows XML Core Services,” said Qualys CTO Wolfgang Kandek.
Three of the vulnerabilities rated important by Microsoft are privilege escalation flaws in Windows, Windows Server Software, and/or the .NET development framework.
The two remaining important vulnerabilities are a security feature bypass bug and a denial of service vulnerability respectively, also impacting Windows and/or .NET.
Oracle’s quarterly Critical Patch Update is due on Jan. 15 as well.