Light Patch Tuesday leaves out patches for two zero-day flaws

For Patch Tuesday, Microsoft’s security bulletin 1 is listed as “important” and only affects Windows Vista. Security bulletin 2 has both “critical” and “important” patches for all versions of the ubiquitous Windows system. The critical updates affect Windows XP, Vista, and Windows 7; the important updates impact Windows Server 2003, 2008, and 2008RS.

Microsoft said it would not be fixing zero-day vulnerabilities affecting Windows Graphics Rendering Engine (GRE), detailed in Security Advisory 2490606, and Internet Explorer (IE), detailed in Security Advisory 2488013. The company said it would “continue to actively monitor both vulnerabilities.”

Security researchers are scratching their heads about this Patch Tuesday collection. Paul Henry, security and forensic analyst at Lumension, called it a “strange mix.”

“It is typical to see legacy code or Windows 7 code included in these patchings, but Microsoft seems to be splitting across the product family; neither sticking to legacy or new code bases. Because they aren’t following the normal lead and going along with product families, we are curious to see how this one plays out”, Henry said.

What seems most noteworthy about this Patch Tuesday is what is being left out: the Windows GRE and IE zero-day vulnerabilities.

Henry threw up his verbal hands in frustration over this omission: “We get the sense that what we do now is hurry up and wait for these two zero days that currently exist in the wild, both of which could allow remote code execution, to unfold.”

Wolfgang Kandek, chief technology officer at Qualys, observed that these zero-day vulnerabilities are “reportedly used in targeted attacks and users should look at the mitigation steps outlined in the advisories.” Kandek added that the security community is looking at two more IE vulnerabilities and expects Microsoft “to acknowledge them soon.” He said that the Internet Storm Center has an overview that lists these open IE issues.

Andrew Storms, director of security operations at nCircle, warned: “Right now, the 2011 security trends do not look good for Microsoft. They need to respond to some of the zero-day bugs fairly quickly because the natives are becoming more restless with every new exploit."

In addition, Henry noted that hackers are using the Microsoft Patch Tuesday process itself to launch malware attacks. “The bad guys are yet again using fake Microsoft security updates to spread their malware. The most recent bogus email claiming to be an update from Microsoft (no-reply@microsft.com) included a malicious worm”, he warned.

What’s Hot on Infosecurity Magazine?