Microsoft plans to issue two bulletins next week as part of its regular patching cycle, blocking two new zero-day vulnerabilities that surfaced recent weeks and are being actively targeted by attackers.
In its advance notification
Microsoft will also plug a hole in the Windows Graphics Rendering Engine, which surfaced this week. The security bulletin is rated Important.
Microsoft said the vulnerability enables an attacker to use an embedded thumbnail image containing malicious code in drive-by attacks or by tricking a user to open a malicious Word or PowerPoint file. The vulnerability affects all versions of Windows except Windows 7 and Windows Server 2008 R2.
The vulnerability was demonstrated last month by security researchers at the Power of Community security conference in Korea. The maintainers of the Metasploit Framework created a module for the zero-day flaw Tuesday and Microsoft said it has begun detecting attacks targeting the vulnerability.
The security bulletins are scheduled to be released Jan. 11. In December, Microsoft issued a record 17 security bulletins, repairing 40 vulnerabilities across its product line. The bulletins included patches that addressed seven critical flaws in both client-side software and server systems.