Microsoft will release seven patches next week to cover updates for Word, Office and Internet Explorer.
Included is a critical update for Internet Explorer addresses , which has not been used in any active attacks according to Microsoft, while the other critical patch addresses a remote code execution issue in Windows, Office and Lync.
The other five patches are rated as critical; one is for a remote code execution vulnerability, two for information disclosure flaws, one for a denial-of-service bug and the final for “tampering”.
Russ Ernst, director of product management at Lumension, said: “Last month, IE saw a lot of activity, first with the out-of-band patch released on May 1, a point fix released as part of May’s Patch Tuesday, and a vulnerability that was publicly disclosed by the Zero-Day Initiative on May 21st .We will have to wait and see if June Patch Tuesday is a cumulative update for the popular browser but odds are it will be. And if you’re still using XP, you’re out of luck.”
Wolfgang Kandek, CTO of Qualys, said: “Bulletin two is a bit strange, because it affects Windows, Office and Lync, the Microsoft IM client. It must be in a component that is present separately in all three software packages. In addition it is rated only “important” in Office, indicating that it is a file-based vulnerability. Our bet is on a graphics format vulnerability, but we will see next Tuesday. Keep an eye on this one.”
Ernst said: “Notably, bulletins 2 and 4 target Windows Server 2003 so this is a good time to note its impending end of life in July, 2015. We are coming up on just a year out now and because any changes to your server will likely be a significant amount of work, it isn’t too soon to get started on that plan.”
Ross Barrett, senior manager of security engineering at Rapid7, said: “Given that the first critical is an IE vulnerability affecting all supported versions, it’s likely we will again see patches for XP Embedded, the same might be true for the second depending on the exact affected component. Given that the second bulletin will affect Lync Server and the older Live Meeting Console this may be a truly remotely exploitable vulnerability. Needless to say, these are the top two patching priorities.
“The tampering label on the seventh bulletin may suggest it allows a message to be altered in transit. Probably a limited scenario for exploitation.”