Microsoft’s latest “Patch Tuesday” will fix two critical security flaws – and six further bugs – in a total of five updates today.
However, none of the bugs will be addressed in Windows XP, which finally went out of support at the end of April, more than 12 years after it was first introduced. The security flaws will enable Windows XP – or any other unpatched Microsoft Windows system – to be exploited by remote code execution.
One of the patches will address the critical flaw affecting all versions of the Internet Explorer web browser from IE6 to IE11. The other remote code execution flaw affects SharePoint Server 2007, 2010 and 2013, and will only be of interest to organisations rather than home users.
The third remote code execution security flaw, which is only deemed “important”, not “critical”, affects Microsoft Office versions 2007, 2010 and 2013. An attack exploiting the flaw would require a user to be persuaded to open an infected document.
“Attackers would use a document like that in a social engineering attack, which aims at convincing the user to open the document, for example by making it appear as coming from the user’s HR department or promising information about a subject of interest to the user,” wrote Wolfgang Kandek, chief technology officer of security specialists Qualys, in a blog posting.
The rest of the patches and bug fixes address vulnerabilities in Windows and the .NET Framework, a denial-of-service issue in Windows, and the final one addresses a security feature bypass in Microsoft Office.
At the same time, Adobe is preparing a new version of its Acrobat Reader software to address multiple security shortcomings in the PDF format, which has increasingly become an attack vector for hackers.