Microsoft Readies Patches for 16 Security Vulnerabilities
Microsoft plans to release nine security bulletins July 10 to cover 16 vulnerabilities as part of the monthly Patch Tuesday software fixes.
According to Microsoft, three of the bulletins are rated "critical," and deal with issues affecting Windows and Internet Explorer. The remaining six bulletins are classified by Microsoft as "important," and involve issues affecting Microsoft Office, Developer Tools, Windows and Microsoft Server Software.
The most interesting Bulletins are 1, 3 and 4. For 1 and 3, these are really appealing to an attacker because they are remote-code executions of almost every version of Windows, said Alex Horan, senior product manager, CORE Security. Its a widely deployed base and the same vulnerability across all those operating systems. You write the exploit once and with tweaks, it can exploit all of them.
Bulletin 4 involves a flaw that would be highly attractive to attackers as well because it covers basically every version of Microsoft Office in the last nine years, he continued.
As an attacker, I would just need to send an email to someone running a vulnerable Microsoft Office system anywhere in the world, get them to interact with something on that email, and I have control of their machine, he said. The attacker does not need to see the system they are targeting. This makes the initial attack easier and a higher-probability. This initial attack vector, in combination with MS Offices widely deployed installed base, makes this bulletin a very attractive issue for attackers.
It is not clear whether the patches will include a fix for CVE-2012-1889, a vulnerability affecting versions of Microsoft XML Core Services that is currently being exploited in the wild.
Microsoft released a temporary fix for this last month, and hopefully organizations will apply that while Microsoft works on a permanent fix; however, it isnt clear whether that will be issued in the July Patch Tuesday release, noted Marcus Carey, security researcher at Rapid7.
The Patch Tuesday update is slated for Tuesday, July 10.