In December, Microsoft said that the month's five updates were the last DLL load hijacking bugs it knew about. "This fixes all of the [Windows] components that we're aware of," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an interview Dec. 14. He left the door open to more, however. "We're not closing that [DLL load hijacking] advisory just yet, and will continue to investigate."
Last month, researchers were skeptical that users were seeing the end of Microsoft's DLL load hijacking problems.
Today, Wolfgang Kandek, chief technology officer of Qualys, a California-based security risk and compliance management provider, said to figure on more from Microsoft. "We can expect a pretty constant stream, I think," said Kandek.
Also on Tuesday, Microsoft offered users an application "shim" that blocks in-the-wild attacks against IE that exploit a bug first disclosed last month.
Microsoft left several bugs unpatched today. In the last several weeks, the company has acknowledged a critical flaw in IE and serious vulnerabilities in Windows XP, Vista, Server 2003, and Server 2008, and confirmed reports that Chinese hackers were scouring the Web for information on another IE flaw.
The latter vulnerability was submitted to Microsoft last summer by Google security engineer Michal Zalewski. Microsoft and Zalewski have traded barbs over the timeline of his bug report, and subsequent release of a "fuzzer" tool that found the flaw.
Today's security patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about security in Computerworld's Security Topic Center.