Two critical vulnerabilities are among the eight bugs that Microsoft will fix on Patch Tuesday, but none will be addressed in Windows XP, the still widely used operating system that lost support in April.
Microsoft will address three remote code execution vulnerabilities, but only two of the flaws are deemed critical, meaning the bugs can be exploited to allow for code execution without any user interaction.
One remote code execution bug impacts Internet Explorer (IE) 6 through IE 11 on all Windows platforms, according to a notification posted on Thursday, which explains that the other remote code execution flaw impacts SharePoint Server 2007, 2010 and 2013.
The third remote code execution vulnerability, which is deemed important, impacts Microsoft Office 2007, 2010 and 2013. In a statement emailed to SCMagazine.com on Thursday US time, Qualys CTO Wolfgang Kandek said that the attack vector involves a malicious document that the victim has to open.
“Attackers would use a document, like in a social engineering attack, which aims at convincing the user to open the document, for example, by making it appear as coming from the user's HR department, or promising information about a subject of interest to the user,” Kandek said.
Of the remaining patches, all of which are deemed important, three address elevation of privileges in Windows and .NET Framework, one addresses a denial-of-service issue in Windows, and the final one addresses a security feature bypass in Microsoft Office.
Despite dropping support in April, Microsoft included Windows XP in an unscheduled patch, released early this month, to address a critical zero-day remote code execution vulnerability affecting IE 6 through IE 11. The bug was being exploited in a campaign known as Operation Clandestine Fox.