Microsoft is set to release seven security updates next week as part of its monthly Patch Tuesday affair, including two critical bulletins and five rated as “important”.
Of the two critical bulletins, one affects all versions of Internet Explorer across all systems. Interestingly, it will addresses a remote code execution vulnerability made public last month by HP Tipping Point’s Zero Day Initiative after it got tired of waiting for Microsoft to release a fix.
HP explained the vulnerability as follows:
“The specific flaw exists within the handling of CMarkup objects. The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”
The other critical bulletin relates to all Windows, Office and Lync and addresses a “remote code execution” flaw, like the first.
The remaining five “important” updates cover remote code execution, “information disclosure”, “denial of service” and “tampering”, according to Microsoft.
Chris Goettl, product manager at Shavlik, said that so far this year Microsoft has released 15 fewer bulletins than in 2013, which could be because of the lack of XP patches.
He added that the second critical vulnerability could be executed via a phishing campaign designed to get users to click on a malicious link or open a malware-ridden file.
“Given the critical rating, it wouldn’t surprise me if there’s an added element to this that makes it more dangerous than your standard phishing attack. It’s also possible that Microsoft has seen some attacks in the wild,” he added.
Goettl argued that sysadmins should keep a close eye on the remaining bulletins (4-7) as they affect programs regularly used by end-users.
“Any impact on the usability of these programs is likely to result in an influx in help desk requests,” he added.
Russ Ernst, director at Lumension, said that managers should also look out for the the patches related to Windows Server.
“Bulletins 2 and 4 target Windows Server 2003 so this is a good time to note its impending end of life in July, 2015,” he added. “We are coming up on just a year out now and because any changes to your server will likely be a significant amount of work, it isn’t too soon to get started on that plan.”