Microsoft Patch Tuesday leaves holes unplugged

Microsoft has confirmed that it will not be patching two known security flaws this Tuesday, despite seeing targeted attacks against at least one - meaning it could be a month before either flaw gets fixed.

Although Microsoft will be releasing some security patches as part of its monthly update cycle, known as Patch Tuesday, Microsoft's Carlene Chmaj has stated outright that the company will not be patching the flaws detailed in Security Advisory 2490606 nor 2488013.

The first advisory, which we wrote about earlier in the week, covers a flaw in the graphics rendering engine shipping with all versions of Windows prior to Windows 7 which leaves them open to arbitrary code execution from a remote attacker. In mitigation for the lack of a patch, Microsoft argues that it is "not aware of attacks that try to use the reported vulnerability or of customer impact at this time," while admitting that details of the flaw are public knowledge.

The second advisory covers a flaw in the way Internet Explorer handles CSS code, and can again lead to arbitrary code execution with the privileges of the currently logged-in user if a malicious site is visited. Worse, Chmaj admits that, unlike the graphics rendering engine flaw, the company has confirmed reports of targeted attacks in the wild that exploit the vulnerability.

Although the two update bulletins issued by Microsoft ahead of the Tuesday update roll-out fix some other major bugs - comprising an update for Windows Vista rated 'Important' and a fix for two other flaws in all versions of Windows rated 'Critical,' the company's highest ranking - the news that two critical vulnerabilities are going unfixed for another month isn't great.

While the possibility remains that Microsoft will issue an out-of-band fix for one or both of the flaws, an unscheduled update can cause nearly as much headache for a system administrator as an unpatched vulnerability - requiring full testing before being deployed onto a network that must be found outside the regularly-scheduled monthly update cycle.

The Internet's ne'er-do-wells, however, will be rubbing their hands with glee, safe in the knowledge that the two vulnerabilities - which are very much public at this point - will be exploitable for some time to come.