Microsoft Halves January Patch Tuesday
An eleventh hour change halved the number of expected security patches to four. However, missing from this month's updates are fixes for any of several zero-day attacks affecting the Microsoft Office suite.
No reasons were given for the change of plan, but when updates are pulled, quality assurance issues are generally the cause. One of the removed updates was for an Office flaw, but it is not clear whether the fix was for any of the aforementioned issues.
Of the updates released, three were rated "critical." Vulnerabilities in both Excel and Outlook that could result in a code execution risk were remedied. The other, a fix for Internet Explorer, repaired issues in the Vector Markup Language that could allow for remote code execution.
One "important" rated issue was fixed, addressing a vulnerability within the Brazilian Portuguese Grammar Checker application which could allow for remote code execution. However, user interaction is required to exploit the issue.
Among the unpatched flaws is the first confirmed vulnerability in Windows Vista, which BetaNews tests show also impacts XP and older Windows versions. That deals with a double-free memory buffer issue in the Win32 library, and was first publicly released on an hacker site operating in Russia. Last week, an engineer with security services firm eEye warned CIO Magazine that an executable file that deploys the system-crashing code could conceivably be packaged with a virus, although BetaNews tests reveal that the code itself, while detrimental to the current system session, does not cause damage.
Microsoft has not said when it plans to release the scrapped patches.