After being battered by a record Patch Tuesday last month, January may come as a relief to system administrators everywhere. This month’s patch cycle includes two bulletins—one rated “important,” only covering Windows Vista; the other rated “critical,” covering all currently supported Windows versions.
What’s noticeable is what is not being patched. Two zero-day vulnerabilities are known to be present in Windows though neither was patched today. First is a vulnerability in Internet Explorer (IE) that we talked about in late December that has already been used in the wild. The second flaw in the Graphics Rendering Engine, on the other hand, has not been exploited to date.
As we previously mentioned when the IE vulnerability was discovered, our free add-on Browser Guard already offers protection by preventing browser exploits and analyzing in-browser scripts for malicious characteristics and behaviors. Until an official patch is issued, users should consider using Browser Guard as their way of mitigating a potential threat.
For enterprise users, we offer specific solutions to deal with vulnerabilities. Both Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in have rules that protect users not just against the vulnerabilities patched today but also against both unpatched vulnerabilities. A rule covering the IE vulnerability has been made available since late December while coverage for the Graphics Rendering Engine was part of a regular update.