Microsoft Corp. says its massive December security update didn't include patches for potentially critical vulnerabilities in Windows and Internet Explorer Microsoft Corp. last week acknowledged that its massive December security update didn’t include patches for potentially critical vulnerabilities in Windows and Internet Explorer. The company last Tuesday released patches for 28 software flaws; it was Microsoft’s biggest batch of fixes since it launched the regular monthly update schedule more than five years ago. Later that day, Microsoft said that “limited and targeted” attacks were under way by hackers exploiting an unpatched flaw in the WordPad Text Converter tool bundled with Windows. The company said that users must be tricked into opening the malicious files, which are likely to be delivered as e-mail attachments. A day later, Microsoft acknowledged an unpatched vulnerability in IE 7 after code needed to maliciously use it was released — mistakenly — by Chinese security researchers. The flaw can infect computers running IE7 on Windows XP. In a security advisory, Microsoft warned users about the IE flaw and listed countermeasures to take in lieu of a patch. It did not say whether it would patch the bug. VeriSign Inc.’s iDefense Labs unit said that a blog post from the Chinese research team reported that the attack code at one time traded for $15,000 on underground markets. The December updates include eight patches for bugs in Windows, Internet Explorer, Office, SharePoint, Windows Media, Visual Basic and Visual Studio. Microsoft ranked 23 of the 28 vulnerabilities fixed by the patches as critical, the top rating in its four-step scoring system. Researchers agreed that the first patch IT managers should apply is one for the Windows Graphics Device Interface (GDI). Andrew Storms, director of security operations at nCircle Network Security Inc., said hackers could exploit the GDI vulnerabilities by duping users into opening or viewing malicious Windows Metafile images. Other GDI bugs have been patched in the past, and Storms said the continual patching of the graphics rendering engine will likely lead to questions about the efficacy of Microsoft’s Security Development Lifecycle process, which looks for bugs as code is written. “I think that’s a fair question,” said Wolfgang Kandek, chief technology officer at Qualys Inc. “But is it realistic to expect Microsoft to find everything? No, it’s not.” Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe