Microsoft is planning to release nine security bulletins in the July Patch Tuesday update to address bugs in a number of products, including Windows, Internet Explorer and Microsoft Office.
Microsoft plans to release nine
security bulletins July 10 to cover 16 vulnerabilities as part of the monthly
Patch Tuesday software fixes.
According to Microsoft, three of the bulletins
are rated "critical," and deal with issues affecting Windows and
Internet Explorer. The remaining six bulletins are classified by Microsoft as
"important," and involve issues affecting Microsoft Office, Developer
Tools, Windows and Microsoft Server Software.
The most interesting Bulletins are
1, 3 and 4. For 1 and 3, these are really appealing to an attacker because they
are remote-code executions of almost every version of Windows, said Alex
Horan, senior product manager, CORE Security. Its a widely deployed base and
the same vulnerability across all those operating systems. You write the exploit
once and with tweaks, it can exploit all of them.
Bulletin 4 involves a flaw
that would be highly attractive to attackers as well because it covers
basically every version of Microsoft Office in the last nine years, he
As an attacker, I would just need
to send an email to someone running a vulnerable Microsoft Office system
anywhere in the world, get them to interact with something on that email, and I
have control of their machine, he said. The attacker does not need to see
the system they are targeting. This makes the initial attack easier and a
higher-probability. This initial attack vector, in combination with MS
Offices widely deployed installed base, makes this bulletin a very attractive
issue for attackers.
It is not clear whether the patches
will include a fix for CVE-2012-1889, a vulnerability affecting versions of
Microsoft XML Core Services that is currently being exploited in the wild.
Microsoft released a temporary fix
for this last month, and hopefully organizations will apply that while
Microsoft works on a permanent fix; however, it isnt clear whether that will
be issued in the July Patch Tuesday release, noted Marcus Carey, security
researcher at Rapid7.
The Patch Tuesday update is slated
for Tuesday, July 10.