June’s Patch Tuesday is almost upon us, and it looks like everyone is ready for summer. The Microsoft MSRC team must be on vacation because we are only getting five bulletins this month.

There are some significant updates, however, despite the light load. First we have the omni-present critical IE bulletin with remote code execution:

“The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft reported.

This effects every version of IE from 6-10, so it should automatically go to the top of your ‘patch immediately’ list.

The next three Windows bulletins marked ‘important’ and they include information disclosure, denial of service, and an elevation of privilege. Together, these bugs hit everything from XP to Windows 8 including the Windows Server operating systems.

The final bulletin in Microsoft Office is interesting – it’s only marked ‘important’ but it’s also subject to remote code execution:

“The vulnerabilities could allow remote code execution if a user open a specially crafted Publisher file with an affected version of Microsoft Publisher. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft said.

This bug probably isn’t remotely exploitable; it probably has to do with parsing a document type. This will be one to watch on tomorrow.

Categories

Tags , , , , , , , ,


Leave a Reply

Lamar Bailey

Lamar Bailey has contributed 7 posts to The State of Security.

View all posts by Lamar Bailey >