Microsoft is planning a quiet Patch Tuesday today as it’s set to unveil two bulletins later on Tuesday.
The software giant is planning just two bulletins to address a total of three vulnerabilities. The first bulletin has an “Important” rating and only affects Windows Vista systems. The second has a “critical” rating and affects all supported versions of Windows. Both bulletins will require a reboot.
2011′s start to Patch Tuesday is quiet in comparison to the last of 2010 in December. Microsoft released 17 bulletins in December that affected 40 vulnerabilities across Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange. Microsoft is not planning to address two un-patched vulnerabilities in its first 2011 Patch Tuesday however. Microsoft recently warned of a publicly disclosed flaw affecting the Windows Graphics Rendering Engine on Vista, Server 2003 and Windows XP. The vulnerability is caused when the Windows Graphics Rendering Engine improperly parses a specially crafted thumbnail image, resulting in a stack overflow. Windows 7 is unaffected by the flaw.
Microsoft’s second un-patched vulnerability is a CSS issue with Internet Explorer. The issue is caused by a use-after-free error within the mshtml.dll library when processing webpages featuring CSS that use “@import” rules. Attacks can exploit the flaw by executing arbitary code via a specially crafted web page. The vulnerability affects Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3. Internet Explorer 6 and 7 are also affected on Windows XP SP3.
Microsoft is expected to address both un-patched flaws soon according to a blog post on Microsoft’s Security Response Center:
“This month we will not be releasing updates to address Security Advisory 2490606 (public vulnerability affecting Windows Graphics Rendering Engine) and Security Advisory 2488013 (public vulnerability affecting Internet Explorer). We continue to actively monitor both vulnerabilities and for Advisory 2488013 we have started to see targeted attacks. If customers have not already, we recommend they consult the Advisory for the mitigation recommendations. We continue to watch the threat landscape very closely and if the situation changes, we will post updates”