Microsoft said today that it will release two security bulletins next week fixing three holes in Windows, but it is still investigating or working on fixing holes in Internet Explorer that have been reportedly exploited in attacks.
One bulletin due out on Patch Tuesday, rated "important," affects only Windows Vista
but the second one, with an aggregate rating of "critical," affects all supported versions of Windows.
Also not mentioned in the Patch Tuesday preview announcement by Microsoft is a bug in IE disclosed last weekend by Michal Zalewski, a security researcher for Google based in Poland. Zalewski released a tool he used to find the hole and others in all the major browsers and said
that an exploit for the IE bug had been leaked to the Web accidentally. Security firm Vupen has confirmed
the critical hole in IE 8
. Microsoft says in Security Advisory 2490606
that it is investigating the bug reports.
Josh Abraham, a security researcher at Rapid7, was surprised that Microsoft was not rushing to fix holes that were reportedly being used in attacks.
"With only two bulletins this month, the big shock is that Microsoft is not addressing two security advisories that have already been weaponized," Abraham said. "I would bet that if the malicious attackers start using the exploits, then we will see an out-of-band patch."