Microsoft has issued two security updates for Windows vulnerabilities. However, the update does not address two of the most recent bugs that have been reported — an Internet Explorer vulnerability and an issue with the Windows graphics rendering engine.
The update resolves two vulnerabilities in the data access components that could allow remote code execution from drive-by attacks from infected web page. It affects XP, Vista and 7 along with Server 2003 and 2008. One of the updates is marked as critical and covers all supported versions of Windows while the other weakness is marked important and affects Server 2003 and 2008.
The IE bug that is at the heart of a stoush between a security engineer and Microsoft, reported last week, has not been addressed. Microsoft has said that the vulnerability relates to uninitialised memory during a CSS function within the browser that is vulnerable to ‘drive by’ web-based attacks.
The memory could be leveraged if the browser hits on an infected webpage which could allow an attacker to gain remote control with the same user rights as the legitimate local user. Internet Explorer on XP, Vista and Windows 7 is vulnerable. Microsoft is still working on a fix.
The other vulnerability affects the Windows graphics rendering engine. If the vulnerability is exploited it could potentially allow remote code execution, but no attacks have been reported so far. Microsoft said an attacker could install programs, view, change or delete data or create new accounts with full user rights. However, it noted that accounts with fewer user rights could have better protection than users who operate with administrative user rights.
The vulnerability affects Windows XP SP3, Windows Vista SP1 and SP2 and some versions of Windows Server 2003 and 2008. Windows 7 is not affected.