Microsoft has published an advance notification for vulnerabilities that will be patched in the January 2013 'Patch Tuesday' security bulletin due next week. However, anyone hoping for a permanent fix to deal with the Internet Explorer zero-day exploit that surfaced during the seasonal holiday period is going to be disappointed. There is no IE patch in this bunch, and while that might be a bit of a surprise to some given that IE security bulletins have become a very regular experience of late, the truth is that to expect a zero-day fix from Microsoft just a week or so after discovery is optimistic to say the least.
The zero-day vulnerability in question affects users of versions 6, 7, and 8 of Microsoft Internet Explorer and, courtesy of how IE accesses an object in memory that has been deleted or improperly allocated, can enable remote execution of code on target machines if the victim visits a malicious (or maliciously compromised) web site. The exploit is publicly available as a Metasploit module and in the wild. Although there will be no permanent patch from Microsoft next week, the software giant has already provided a one-click 'Fix-It' solution as a temporary measure while a proper patch is being developed. Of course, simply updating to either Internet Explorer 9 or 10 would also do the trick, as neither are listed as being vulnerable.
So what can we expect to see fixed as part of the forthcoming Patch Tuesday collection? Lamar Bailey, Director of Security Research and Development for nCircle, says "We’re starting 2013 with two critical code execution vulnerabilities in Windows. One affects Windows 7 and the other effects everything including Windows 8. Bulletin two affects a range of core components in Windows along with server software and developer tools. Given the scope of the software affected and the critical rating, this bulletin has the potential to give IT security teams a lot of heartburn next week.”
Meanwhile, Ziv Mador who is the Director of Security Research with the advanced security 'SpiderLabs' team at Trustwave warns that "If you were hoping for a nice relaxing Patch Tuesday after the holidays, well, sorry to disappoint you. Microsoft will be issuing seven new bulletins next week; two of them are rated as ‘Critical’. Both critical bulletins can result in the holy grail of remote code execution. The other five bulletins are all rated as ‘Important’. Of the two critical bulletins one of them lists all currently supported versions of Windows from XP SP3 up to Server 2008 R2 as well as several versions of Office, Sharepoint and Groove Server. This is most likely an issue in one of the base libraries meaning it will have a wide impact. The other critical bulletin only lists Windows 7 and Server 2008 as vulnerable but it still results in RCE so it shouldn’t be taken as any less serious. The five remaining ‘Important’ bulletins result mostly in Elevation of Privilege with one Security Feature Bypass and one Denial of Service. Six of them impact different versions of Windows and Windows Server with one Elevation of Privilege hitting Microsoft System Center Operations Manager. The MS SCOM is a cloud management platform allowing you to manage multiple hypervisors."