Only Two Patches - One Critical - on Patch Tuesday
After a backbreaking month of December for security pros, January looks to be much easier as the first patch drop of the New Year.
Microsoft has a late Christmas present for security professionals in January.
Following what was one of the largest patch releases in Microsoft's (NASDAQ: MSFT) history last month, the company's first Patch Tuesday of 2011 coming next week will only feature two patches, just one of which is rated critical.
In comparison, last month, Microsoft released 17 patches that fixed a total of 40 security vulnerabilities, making a lot of security staffers work overtime close to the holidays in order to get them all tested and installed.
A company official, however, cautioned that neither of this month's patches will fix two recently confirmed zero-day vulnerabilities.
"This month we will not be releasing updates to address Security Advisory 2490606 (public vulnerability affecting Windows Graphics Rendering Engine) and Security Advisory 2488013 (public vulnerability affecting Internet Explorer). We continue to actively monitor both vulnerabilities and for Advisory 2488013 we have started to see targeted attacks," Carlene Chmaj, senior response communications manager for the company's Trustworthy Computing group, said in a post to the Microsoft Security Response Center (MSRC) blog Thursday.
The disclosures came about as part of Microsoft's regular advance notice sent to security professionals to give them a heads up as to how much work awaits them the second Tuesday of each month when it releases the majority of its security patches.
Microsoft warned about the Windows graphics rendering flaw in Windows earlier this week, and said it is working on a patch. In addition, other than a workaround, which it has already published, it also plans to release a patch, although the company said it will not be issued as an out-of-band patch.
Meanwhile, the second bug that will remain unpatched for now, has been used in "targeted attacks" in the wild, Chmaj's post said. Neither bug has received a ranking number on Microsoft's four-tier severity scale yet.
"It is interesting to note that the most recent Internet Explorer and Windows Explorer vulnerabilities will go unpatched this month," HD Moore, chief security officer at researcher Rapid7 and founder of the Metasploit open source security project, said in an e-mail to InternetNews.com.
"The big shock this month is that Microsoft is not addressing two security advisories that have already been weaponized," Rapid7 security researcher Josh Abraham added.
Of the patches to be issued on Tuesday, only one is rated critical -- the highest threat level on Microsoft's scale. However, the vulnerability affects all supported versions of Windows -- from Windows XP Service Pack 3 (SP3) through Windows 7. The same bug also affects Windows Server releases but is only rated important, Microsoft's second-highest threat level.
Additionally, the second patch is only rated as important and only affects Windows Vista.
Microsoft typically does not disclose bug details that could be useful to hackers until it has published patches for them.
Follow eSecurityPlanet on Twitter: @eSecurityP.