Microsoft Corp. has announced plans to ship two security bulletins on Patch Tuesday next week, and security analysts say its a safe bet that one will cover critical flaws in the Internet Explorer browser.
As part of its advance notice mechanism, Microsoft said at least one of the two bulletins will be rated "critical," but details are being withheld until Dec. 13.
"Id be shocked if they didnt issue a fix for IE," said Marc Maiffret, co-founder and chief hacking officer at eEye Digital security, a research company that regularly reports software flaws to Microsoft.
Maiffret noted that at least one unpatched IE flaw was being exploited by malicious hackers to plant backdoors on vulnerable machines; he argued that Microsoft should act responsibly and ship an IE update.
Even after Patch Tuesday, Maiffret said that several dangerous Windows flaws will remain unpatched.
They include three "high risk" bugs that are more than 100 days overdue, according to a list of upcoming advisories maintained by eEye.
Microsoft originally planned to ship an out-of-cycle emergency bulletin to thwart the IE attacks, but sources say the rigorous quality assurance testing that is required for cumulative browser updates forced the company delay the patches.
Since then, anti-virus vendors say at least two Trojan attacks launched from porn sites have successfully exploited the IE hole.
In one attack, Microsoft has confirmed that the Win32/Delf.DH Trojan downloader is being planted on Windows machines.
When a user visits certain Web sites, a file named "KVG.exe" or "keks.exe" is automatically downloaded from the Web site to the users Startup folder.
The downloader then downloads and runs another Trojan downloader every five minutes and saves it in the Windows system folder as "all.exe."
The company has posted a pre-patch advisory with workarounds.
Anti-virus vendor Sophos Inc. also discovered another Trojan, identified as Clunky-B, taking control of Windows PCs via the unpatched IE hole.
"Weve seen Clunky coming from a small number of dodgy Web sites. Its being launched from some hacking sites and pornography sites, so its not really a large-scale threat," said Graham Cluley, senior technology consultant at Sophos.
Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center to add detections for new malware families.