Microsoft is releasing fixes for eight bugs on Tuesday, May 13, two of them rated “critical,” according to an article in SC Magazine. However none of the bugs will be addressed in Windows XP, which is still widely used although Microsoft ended support for it last month.
Three remote code execution vulnerabilities are being patched. Two of the patches are given a critical rating because the bugs they address can be exploited to allow code execution without user input. One of the two affects Internet Explorer versions 6 through 11 on all Windows platforms. The other impacts SharePoint Server 2017, 2010 and 2013.
The third remote code execution vulnerability is rated as “important” and affects Microsoft Office 2007, 2010 and 2013. Wolfgang Kandek, CTO of Qualys, told SC Magazine that the vulnerability enables attacks via a malicious document that the user is required to open.
“Attackers would use a document, like in a social engineering attack, which aims at convincing the user to open the document, for example, by making it appear as coming from the user’s HR department, or promising information about a subject of interest to the user,” Kandek said.
While Microsoft ended support for Windows XP in April, it did include the operating system in an unscheduled patch at the beginning of this month, a move that surprised many observers. The patch fixed a critical zero-day remote code execution vulnerability affecting IE 6 through IE 11. The bug leveraged an Adobe Flash exploitation technique to enable attackers to execute arbitrary code on a victim’s browser.
Microsoft is also releasing its final draft security bulletins dealing with the latest threats. It will will host a webcast to address customer questions about the bulletins on Wednesday, May 14 at 11:00 a.m. Pacific Time. Users can register here.
Other than the remote code execution vulnerabilities, three of the bugs being patched allow elevation of privilege, one enables denial of service and the eighth is a security feature bypass.
Microsoft (Nasdaq: MSFT) is also releasing an updated version of the Microsoft Windows Malicious Software Removal Tool.