Microsoft is planning to release seven security bulletins next week for June’s Patch Tuesday.
Two of the bulletins are rated ‘Critical’, while five of the bulletins are classified as ‘Important.’ According to Microsoft, the updates cover a number of products including Microsoft Word, Windows, Microsoft Office and Internet Explorer.
The IE update will address the zero-day vulnerability in Internet Explorer 8 that was revealed recently by HP’s Zero-Day Initiative. The issue is a use-after-free vulnerability that could enable a remote attacker to execute arbitrary code using JavaScript code that interacts improperly with a CollectGarbage function call on a CMarkup object allocated by CMarkup::CreateInitial Markup function. So far, the vulnerability is not known to have been used in any attacks, according to Microsoft.
“Today’s advanced notification outlines seven patches in next week’s June Patch Tuesday; two are critical and five important,” said Russ Ernst, director and product management at Lumension. “Affected software runs the gamut, as usual, and the first critical bulletin is for IE. Last month, IE saw a lot of activity, first with the out-of-band patch released on May 1, a point fix released as part of May’s Patch Tuesday, and a vulnerability that was publicly disclosed by the Zero-Day Initiative on May 21. We will have to wait and see if June Patch Tuesday is a cumulative update for the popular browser but odds are it will be. And if you’re still using XP, you’re out of luck.”
The second critical bulletin impacts Windows, Office and Microsoft Lync. According to Microsoft, it can be exploited to remotely execute code. Two other bulletins involving Windows and Lync Server are rated Important and can result in information disclosure. The other three bulletins rated Important deal with remote code execution, tampering and denial-of-service issues.
“Patch Tuesday, June 2014 advance notification once again falls under the shadow of looming OpenSSL issues,” said Ross Barrett, senior manager of security engineering at Rapid7, in reference to patches released today to address OpenSSL vulnerabilities. “These ones don’t have quite the catchy name as the last round, but they should not be ignored. That said, this is about the Microsoft advisories coming next week. There are seven of them, two critical, five important – one of which is the seldom seen ‘tampering’ type.”
The updates will be released June 10.