Less than a week after releasing an out-of-cycle security patch, Microsoft got back on schedule by making two other patches it deemed “critical” public as its January “Patch Tuesday” bulletin.
The Redmond, Wash., company released its second patch of the year, MS06-02, to fix a vulnerability in embedded web fonts. The flaw, which could allow for remote code execution, was reported by eEye Digital Security, Microsoft said.
An attack using this vulnerability would require tricking a user with a phishing email or other technique, said Alain Sergile, product manager for Internet Security Services' X-Force team.
"For this type of attack, there needs to be some kind of user interest," he said.
Microsoft's third patch of the month, MS06-03, was released to fix a TNEF decoding vulnerability in both Microsoft Office and Outlook. Remote code execution is also possible through this flaw, the company said.
John Heasman and Mark Litchfield of NGS Software reported the flaw to Microsoft, the computing giant said on its website.
MS06-03 would be of particular interest to corporate PC users, Sergile said.
"The patch for the TNEF flaw is very important because it affects Exchange, which is a major product used in corporate America," he said.
Russ Cooper, senior information security analyst with Cybertrust, said he believed Microsoft was right to release the WMF patch last week and follow up Tuesday with these two fixes, but said he didn't want to see the monthly patch cycle changed.
"That's what you get when a company is faced with an awful lot of hype," he said. "Nothing with the WMF flaw amounted to anything near that kind of hype. But I don't want to see Microsoft shortening their cycles because of a lot of media attention."