Microsoft Tuesday patches omit known vulnerabilities
Microsoft plans to release two updates this coming Tuesday, one of which it classes as critical, but the updates will not fix confirmed security vulnerabilities in Windows and Internet Explorer. The two updates announced by Microsoft contain a total of three patches. The 'critical' update affects all version of Windows. The second problem is classed as important and is only relevant to Vista users. Microsoft will not release further details until Tuesday evening.
A posting on the Microsoft Security Response Center blog is frank in admitting that patches for two security vulnerabilities confirmed by Microsoft in recent weeks are not yet ready for release. Internet Explorer contains a critical bug which affects processing of @import tags in cascading style sheets (CSS) that can be exploited to inject and execute code. The Windows Graphics Rendering Engine chokes on specially crafted thumbnails, with similar consequences. Microsoft security experts have confirmed that targeted online attacks making use of the IE vulnerability have now been observed. Demo code for the thumbnail vulnerability is also publicly available, with exploitation likely to follow.
Microsoft is pointing users requiring pre-patch protection to workarounds. The Enhanced Mitigation Experience Toolkits (EMET) for Internet Explorer should protect users from the IE vulnerability. Its use is described in the heise Security article 'Damage limitation'. Users can protect themselves from the thumbnail problem by disabling the display of thumbnails. A 'fix-it' to simplify application and removal of this workaround is available.