Two critical vulnerabilities are among the eight bugs that Microsoft will fix on its upcoming Patch Tuesday, but none will be addressed in Windows XP, the still widely used operating system that saw support end in April.
Microsoft will address three remote code execution vulnerabilities, but only two of the flaws are deemed critical, meaning the bugs can be exploited to allow for code execution without any user interaction.
One remote code execution bug impacts Internet Explorer (IE) 6 through IE 11 on all Windows platforms, according to a notification posted on Thursday, which explains that the other remote code execution flaw impacts SharePoint Server 2007, 2010 and 2013.
The third remote code execution vulnerability, which is deemed important, impacts Microsoft Office 2007, 2010 and 2013. In a statement emailed to SCMagazineUK.com, Wolfgang Kandek, CTO with Qualys, said that the attack vector involves a malicious document that the victim has to open.
“Attackers would use a document, like in a social engineering attack, which aims at convincing the user to open the document, for example, by making it appear as coming from the user's HR department, or promising information about a subject of interest to the user,” Kandek said.
Of the remaining patches, all of which are deemed important, three address elevation of privileges in Windows and .NET Framework, one addresses a denial-of-service issue in Windows, and the final one addresses a security feature bypass in Microsoft Office.
Despite dropping support in April, Microsoft included Windows XP in an unscheduled patch, released early this month, to address a critical zero-day remote code execution vulnerability affecting IE 6 through IE 11. The bug was being exploited in a campaign known as Operation Clandestine Fox.
Kasper Lindgaard, director of research and security at Secunia notes that 17 percent of computers are still using XP and comments: “Come Tuesday, Microsoft will be patching some vulnerabilities in Windows, and it is realistic to assume that at least one of these will also affect Windows XP. ...Newly discovered vulnerabilities in XP will be unpatchable for private users, and therefore we will see a rise in attacks. XP users will in future basically be “free-for-all” to hackers, who can create and use exploits at will. Future patches to the other Windows operating systems will be reverse engineered by hackers, seeking to discover which vulnerabilities were fixed by Microsoft, and subsequently – if applicable – modified to work against Windows XP.”