The first Patch Tuesday monthly security update from Microsoft will be light compared with 17 patches aimed at fixing 42 vulnerabilities in December.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Microsoft plans only two updates on 11 January, with just one rated "critical", despite having to open zero-day vulnerabilities.
Alan Bentley, senior vice-president at security firm Lumension, said that, after last month's mammoth Patch Tuesday, security professionals might be breathing a sigh of relief at the few patches they have to deal with this month.
"However, I doubt there will be many putting their feet up just yet. Although Microsoft has acknowledged the Internet Explorer and Windows Graphics Rendering Engine zero day issues on their site, there is seemingly nothing addressing these critical vulnerabilities in the upcoming release," Alan Bentley said.
Microsoft has instead focused on releasing an "important" patch for Windows Vista and a "critical" patch for all versions of Windows, including Windows 7, that will fix three holes in its operating systems.
Meanwhile, hackers have been using fake Microsoft Security updates to spread malware.
"Microsoft doesn't do e-mail patch updates so many would be sceptical of such an e-mail already. However, just in case, users should be on the look out for e-mails with 'Update your windows' in the subject line and an attached file entitled KB453396-ENU.zip," said Bentley.
Wolfgang Kandek, chief technology officer of security firm Qualys, said even if the zero-day vulnerabilities are not included in the January monthly update, they could be patched before the end of the month, with one being confirmed only on 5 January.
The latest zero-day, a vulnerability in Windows Graphics Rendering Engine, could allow attackers to take control of targeted computers, Microsoft warned in a security advisory. The other, confirmed on 22 December, is a vulnerability affecting Internet Explorer.
Kandek said both flaws are reportedly used in targeted attacks and users should look at the mitigation steps outlined in the advisories.
KB2490606 has a Microsoft Fixit Button, that home users and small businesses can use to implement the mitigation instructions, he said.
According to Kandek, the security community is also discussing two additional vulnerabilities in Internet Explorer and proof of concept code exists.
"We expect Microsoft to acknowledge them soon," he said.
A list of unpatched Microsoft vulnerabilities can be found on the SANS Internet Storm Center website.