Microsoft will use the first Patch Tuesday of the New Year to address three vulnerabilities in its Windows architecture.
The company said it expected to issue two bulletins next week: one affecting Vista that was rated "important" and a second bulletin with an aggregate rating of "critical" that affected all supported versions of Windows.
The potential impact of all vulnerabilities was said to be remote code execution.
"As always, we recommend that customers deploy these updates as soon as possible," Microsoft trustworthy computing senior response communications manager Carlene Chmaj said in a blog post.
Microsoft confirmed that this month's release would not include fixes for the vulnerability in the Windows graphics rendering engine, nor a public vulnerability affecting Internet Explorer.
The IE vulnerability was caused by the "creation of uninitialised memory during a CSS function within Internet Explorer," the vendor said.
"It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted web page to gain remote code execution," Microsoft said in a security advisory.
Chmaj said today that Microsoft had "started to see targeted attacks" using the IE vulnerability.
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
iTnews State of Security Breakfast
iTnews State of Data & AI Breakfast
The 2026 iAwards
.jpg&w=120&c=1&s=0)
Integrate 2026
Security Exhibition & Conference
_(1).jpg&h=140&w=231&c=1&s=0)
