September 26, 2016

Microsoft to fix three critical remote code execution vulnerabilities on Tuesday

(LiveHacking.Com) – Microsoft has released its advance notification for what issues the company expects to fix during this month’s Patch Tuesday. The notice mentions nine bulletins of which three are marked as Critical and are connected with remote code execution vulnerabilities. The other six bulletins are marked as Important and concern remote code execution, information disclosure and elevation of privileges. The nine bulletins address a total of 16 vulnerabilities in a variety of Microsoft products including Microsoft Windows, Microsoft Office, Internet Explorer, and Visual Basic.

It is anticipated that Microsoft will patch the vulnerability in its XML Core Services which is being actively exploited on the Internet. Last month Microsoft issued a security advisory about the vulnerability that can allow remote code execution if a user views a specially crafted webpage using Internet Explorer and at the time it issued a FixIt workaround that basically disables the vulnerable component in IE. The vulnerability, which also affects  Office 2003 and Office 2007 , exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. A working exploit for the bug has also been converted into a Metasploit module.

The second of the nine bulletins is specifically for Internet Explorer 9. This is somewhat unusual as often errors found in IE are also applicable to IE 8 and sometimes IE 7. But this bulletin is only for IE 9. What is also interesting is that Microsoft updated all versions of Internet Explorer during last month’s patch Tuesday. IE 9, being the latest version, is meant to be the securest version.

Bulletins 4 and 8 address Microsoft Office flaws and affect Office 2003 Service Pack 3, Office 2007 Service Pack 2, Microsoft Office 2010 and Microsoft Office 2010 Service Pack 1. Both are marked as Important and one addresses a remote code vulnerability while the other is to do with elevation of privileges.

Finally it is worth noting that bulletin 9 addresses an Important level vulnerability in Microsoft Office for Mac 2011. This bulletin does not affect the Windows versions.

Microsoft are expected to release all nine bulletins on Tuesday at approximately 10 a.m. PDT.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks