In sharp contrast to last month's barrage of critical patches, Microsoft on Tuesday offered up just one "important" fix for users to implement in its scheduled round of security updates for November.
But a new exploit that took advantage of an as-yet-unpatched vulnerability in Microsoft's Internet Explorer Web browser could force the company to release an out-of-cycle patch before its next round of monthly updates, analysts said.
Microsoft's latest patch fixed a hole in the company's Internet Security and Acceleration Server. The vulnerability could allow an attacker to spoof trusted Internet sites and content, according to Microsoft.
"At this point, we are considering this a moderate threat," said Oliver Friedrichs, a senior manager at Symantec's security response center. "The main thing we are concerned about is that this vulnerability could be used to launch phishing attacks," Friedrichs said.
However, a new version of February's Mydoom worm that took advantage of an unpatched and recently announced vulnerability in Microsoft's Internet Explorer IFrame function has already begun spreading. The mass-mailing worm, which spread via e-mail, was dubbed Bofra or Mydoom AH and was rated as a low risk to corporate security by Symantec.
"Early indications are that to be infected, a user must click on a malicious Web link sent in an e-mail," Microsoft said in a statement.
"This is a zero-day vulnerability," said Thor Larholm, senior security researcher at PivX Solutionsin. "We are definitely hoping that Microsoft will schedule an out-of-cycle patch to fix this one since exploits are already out there."
Microsoft, which moved to a monthly patch-release cycle in October 2003, released an out-of-cycle patch in July to address a similar zero-day exploit.