Internet Explorer cast a shadow over Microsoft's Patch Tuesday this week, as a fix for an IE zero-day exploit missed...
this month's release.
Microsoft posted a workaround to avoid the issue for the versions affected: Internet Explorer (IE) 6, IE 7 and IE 8. However, the workaround will crash the browser if it encounters the zero-day exploit while it is in-process, said Wolfgang Kandek, CTO of Qualys Inc., an IT services firm based in Redwood Shores, Calif.
Coupled with reports that the Fix it tool Microsoft released may itself be prone to failure, experts speculated that Microsoft may have to release an out-of-band patch to address the issue.
The Internet Explorer zero-day exploit could result in remote code execution if a user visits a maliciously crafted website.
Admins might expect to see an out-of-cycle update, if at all, next week at the earliest and two weeks from now at the latest, said Jason Miller, a member of the Patch Patrol Team at Roseville, Minn.-based Shavlik Technologies LLC.
January 2013 Path Tuesday: XML and printer spooling fixes
There are two critical bulletins fixed in the January 2013 Patch Tuesday updates. Microsoft's XML implementation is vulnerable to a remote code execution attack in almost every version of Windows, which includes Windows 8 and Windows Server installations.
This means systems could be targeted in a "drive-by" attack, Miller said, in that any number of applications using XML Core Services are also at risk.
The other critical bulletin dealt with Print Spooler components in Windows 7 and Windows Server 2008 R2. Despite being rated "critical", Kandek said the bulletin is of lesser importance than the XML bulletin.
"If people have good security practices, their printers will not be online," said Amol Sarwate, director of Qualys' Vulnerability Labs. Many effects of the spooling flaw can be avoided if the printer is on an office network and not online.
SCOM 2007 SP 1 admins: Expect delays
Admins who run Microsoft Service Center 2007 SP 1 should keep an eye on the bulletin for System Center Operations Manager. While a fix is in the works from Microsoft, it wasn't included with the other fixes released in Tuesday's updates.
The company is likely testing and trying to find the proper delivery mechanism for the update, Miller said.
Those with System Center Operations Manager 2007 R2 will have access to the update, but only from the download center.