Microsoft kicked off the year with two bulletins as part of its January security update.
One of the patches is rated "critical" and corrects two vulnerabilities in all supported versions of Windows. The flaws, which affect Microsoft Data Access Components, could allow an attacker to execute remote code on an affected system if a user views a specially crafted web page.
The other bulletin earned an "important" designation and plugs one publicly disclosed flaw affecting Windows Vista. The flaw, which affects Backup Manager, could also allow remote code execution.
Microsoft said it is not aware of any active attacks that exploit the vulnerabilities addressed in this month's release.
“It should be a fairly light day for everyone,” Tyler Reguly, technical manager of security research and development at vulnerability management firm nCircle, said in a statement.
But January's modest update leaves several known flaws without patches.
The most severe of the outstanding vulnerabilities is a style sheet load bug affecting all versions of Internet Explorer that was made public late last month. In lieu of an immediate patch, the software giant this week released a suggested workaround for the flaw, which is being exploited in “limited” in-the-wild attacks.
Yesterday's update also left unpatched a zero-day Windows Graphics Rendering Engine vulnerability.
“It remains to be seen whether or not Microsoft will provide out-of-band patches for the zero-day issues that are poised to wreak havoc in enterprise environments, or if we will have to play "hurry up and wait" until Patch Tuesday in February,” Paul Henry, security and forensic analyst at vulnerability management firm Lumension, said in a statement.
February's patches are due on the 8th.