Microsoft said today that it will release two security bulletins next week fixing three holes in Windows, but it is still investigating or working on fixing holes in Internet Explorer that have been reportedly exploited in attacks.
One bulletin due out on Patch Tuesday, rated "important," affects only Windows Vista but the second one, with an aggregate rating of "critical," affects all supported versions of Windows.
Microsoft said it is not releasing updates to address a hole affecting Windows Graphics Rendering Engine that it disclosed earlier this week, or one disclosed in late December, Security Advisory 2488013, that affects Internet Explorer and for which there have been reports of targeted attacks, the company said in a post on the Microsoft Security Response Center blog.
"We continue to actively monitor both vulnerabilities and for Advisory 2488013 we have started to see targeted attacks," the post said. "If customers have not already, we recommend they consult the Advisory for the mitigation recommendations. We continue to watch the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog."
Also not mentioned in the Patch Tuesday preview announcement by Microsoft is a bug in IE disclosed last weekend by Michal Zalewski, a security researcher for Google based in Poland. Zalewski released a tool he used to find the hole and others in all the major browsers and said that an exploit for the IE bug had been leaked to the Web accidentally. Security firm Vupen has confirmed the critical hole in IE 8. Microsoft says in Security Advisory 2490606 that it is investigating the bug reports.
Josh Abraham, a security researcher at Rapid7, was surprised that Microsoft was not rushing to fix holes that were reportedly being used in attacks.
"With only two bulletins this month, the big shock is that Microsoft is not addressing two security advisories that have already been weaponized," Abraham said. "I would bet that if the malicious attackers start using the exploits, then we will see an out-of-band patch."
Meanwhile, as Microsoft released its Patch Tuesday preview, Sophos is warning people about a fake Microsoft security update e-mail circulating that contained a worm. The subject line says "Update your Windows" and urges recipients to download an attached executable. But Microsoft does not issue security patches via e-mail attachments. Another clue that it's a scam--Microsoft is misspelled in the forged e-mail header as "microsft."