Microsoft announced next week's edition of Patch Tuesday will deliver bulletins for two Windows issues; one "important" big that affects only Windows Vista and also a "critical" one that affects all supported versions of Windows.
The low number of updates this month is no good news as security researchers point out that Microsoft neglects to plug two critical vulnerabilities in Internet Explorer:
Microsoft said it is not releasing updates to address a hole affecting Windows Graphics Rendering Engine that it disclosed earlier this week, or one disclosed in late December, Security Advisory 2488013, that affects Internet Explorer and for which there have been reports of targeted attacks, the company said in a post on the Microsoft Security Response Center blog.
"We continue to actively monitor both vulnerabilities and for Advisory 2488013 we have started to see targeted attacks," the post said. "If customers have not already, we recommend they consult the Advisory for the mitigation recommendations. We continue to watch the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog."
Also not mentioned in the Patch Tuesday preview announcement by Microsoft is a bug in IE disclosed last weekend by Michal Zalewski, a security researcher for Google based in Poland. Zalewski released a tool he used to find the hole and others in all the major browsers and said that an exploit for the IE bug had been leaked to the Web accidentally. Security firm Vupen has confirmed the critical hole in IE 8. Microsoft says in Security Advisory 2490606 that it is investigating the bug reports.