Microsoft is planning to release seven security bulletins – three of which are rated ‘critical’ – as part of this month’s Patch Tuesday update.
The fixes span a number of different products, with the critical bulletins covering issues in Microsoft Windows, Silverlight, Microsoft Office and the .NET Framework. All totaled, 23 security vulnerabilities are on tap to be patched.
“Bulletin one is a critical vulnerability in Microsoft Office. Since this bulletin is categorized as affecting Microsoft Office it’s safe to say that this is a underlying issue on how it processes data,” said Marcus Carey, security researcher with Rapid7. “The vulnerability will likely be able to be exploited by crafting a malicious file that can be opened by any Microsoft Office applications. This is becoming a recurring theme for organizations and end users because it’s primed for phishing attacks.”
Bulletins two and three are rated critical as well and affect all of Microsoft’s current operating systems, he noted.
“Bulletin two looks as if it can be exploited by crafting malicious Microsoft Office files, or perhaps crafting a malicious web page that would be processed by the vulnerable software, which is also likely the case with bulletin three,” he said. “Both of these critical bulletins would result in remote code execution if compromised.”
The remaining bulletins are classified by Microsoft as ‘important,’ and address bugs in Microsoft Office and Windows.
“It would be dangerous for IT professionals to not take Bulletins 6 and 7 seriously because both bulletins address the issue of Elevation of Privilege, or taking limited control of a system and elevating it into full control,” said Alex Horan, senior product manager at CORE Security. “The common misperception is that no attacker will ever gain the initial foothold needed to pull that off. However, in today’s aggressive times, the mature security professional recognizes that compromise is inevitable and containment is key. After all, it is not realistic to think you can contain someone if they have full control of your system.”
The patches are slated to be released May 8.