Microsoft skips IE zero-day fix

Microsoft is to release seven bulletins next week, but will not patch the zero-day vulnerability in Internet Explorer.

Of the seven bulletins, two are rated as critical and the remaining five as important. Software including RT, Office, SharePoint and System Center Operations Manager will also be patched.

Qualys CTO Wolfgang Kandek said the focus should be on the two critical bulletins.

"While the first one affects only Windows 7 and Windows 2008 R2, the second one lists all versions of Windows, plus a number of server software. It is likely that it is a vulnerability in one of the base libraries of Windows that is widely used, such as Windows XML Core Services, which had its last fix in July of 2012 under MS12-043.”

Trustwave SpiderLabs director of security research Ziv Mador one critical bulletin lists all currently supported versions of Windows from XP SP3 up to Server 2008 R2, as well as several versions of Office, SharePoint and Groove Server.

"This is most likely an issue in one of the base libraries meaning it will have a wide impact," Mador said.

“The other critical bulletin only lists Windows 7 and Server 2008 as vulnerable but it still results in remote code execution so it shouldn't be taken as any less serious.

“The five remaining ‘important' bulletins result mostly in elevation of privilege, with one security feature bypass and one denial of service. Six of them impact different versions of Windows and Windows Server, with one elevation of privilege hitting Microsoft System Center Operations Manager.”

However the zero-day that caused problems for Microsoft over the Christmas period will not be fixed next week. The vulnerability could allow remote code execution of Internet Explorer 6, 7 and 8 and Microsoft has released a workaround Fix It and encouraged users to use the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to help prevent exploitation of this vulnerability.

Lumension security and forensic analyst Paul Henry said the Microsoft Fix It workaround for the zero day flaw required a formal patch.

“However, Microsoft often fixes one thing to address another, so it's possible that they are correcting the issue with IE at the operating system level with one of the patches. If the browser is just a path to an underlying vulnerability in the operating system, then this issue will likely be fixed by one of the patches. If the vulnerability is exclusive to the browser, on the other hand, then this is still something to watch out for.”

Adobe has also announced that it will release security updates next Tuesday for Reader and Acrobat XI (11.0.0), earlier versions for Windows and Macintosh, and Adobe Reader 9.5.1 and earlier 9.x versions for Linux. Also, Oracle will publish its quarterly Critical Patch Update later this month.

This article originally appeared at scmagazineuk.com