Two Windows patches coming, IE fix uncertain

It remains to be seen whether the software giant on Dec. 13 will address an outstanding Internet Explorer issue that is currently the target of a malicious Trojan.

Microsoft will release two critical security updates for Windows tomorrow, though it remains unclear whether either will fix an outstanding Internet Explorer issue that is currently the target of malicious code.

On its TechNet site today, Microsoft said its next scheduled "Patch Tuesday" release on Dec. 13 will feature a pair of bulletins affecting Windows, at least one of which is expected to be deemed critical.

Additionally, the software giant will release two non-security high-priority updates on Windows Update and Software Update Services (SUS), plus three other non-security high-priority updates via Windows Update and Windows Server Update Services (WSUS). Per usual, its malicious software removal tool will be updated as well.

Microsoft seems to be taking it easy on administrators as 2005 comes to a close. Last month it released just one critical update, a breeze compared with the nine patches it made available in October.

Though as it does each month, Microsoft included the following disclaimer: "Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released."

It remains to be seen whether Microsoft will address a memory corruption flaw in the browser that is currently the target of malicious Trojan.

"This issue was originally reported to the public in May as being a stability issue that caused the browser to close," the software giant said in an advisory on its Web site. "Since then, new information has been posted that indicates remote code execution could be possible. We have also been made aware of proof-of-concept code and malicious software targeting the reported vulnerability."

Microsoft warned in a subsequent advisory that TrojanDownloader.Win32/Delf-DH is targeting the flaw. "This Trojan is downloaded to a computer automatically when a user visits certain Web sites," Microsoft said.

It indicated that an out-of-cycle patch security update may be necessary, causing speculation that Microsoft may release a patch prior to this coming Tuesday. However, no such update has yet been released.

This article originally appeared on SearchSecurity.com.

Read more on IT risk management