Microsoft is planning to release seven security bulletins – three of which are rated ‘critical’ – as part of this month’s Patch Tuesday update.
The fixes span a number of different products, with the critical bulletins covering issues in Microsoft Windows, Silverlight, Microsoft Office and the .NET Framework. All totaled, 23 security vulnerabilities are on tap to be patched.
“Bulletin one is a critical vulnerability in Microsoft Office. Since this bulletin is categorized as affecting Microsoft Office it’s safe to say that this is a underlying issue on how it processes data,” said Marcus Carey, security researcher with Rapid7. “The vulnerability will likely be able to be exploited by crafting a malicious file that can be opened by any Microsoft Office applications. This is becoming a recurring theme for organizations and end users because it’s primed for phishing attacks.”
Bulletins two and three are rated critical as well and affect all of Microsoft’s current operating systems, he noted.
“Bulletin two looks as if it can be exploited by crafting malicious Microsoft Office files, or perhaps crafting a malicious web page that would be processed by the vulnerable software, which is also likely the case with bulletin three,” he said. “Both of these critical bulletins would result in remote code execution if compromised.”
The remaining bulletins are classified by Microsoft as ‘important,’ and address bugs in Microsoft Office and Windows.
“It would be dangerous for IT professionals to not take Bulletins 6 and 7 seriously because both bulletins address the issue of Elevation of Privilege, or taking limited control of a system and elevating it into full control,” said Alex Horan, senior product manager at CORE Security. “The common misperception is that no attacker will ever gain the initial foothold needed to pull that off. However, in today’s aggressive times, the mature security professional recognizes that compromise is inevitable and containment is key. After all, it is not realistic to think you can contain someone if they have full control of your system.”
The patches are slated to be released May 8.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Chrome 114 Released With 18 Security Fixes
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Breaking Enterprise Silos and Improving Protection
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
