Critical security patches coming for Windows, Exchange

Microsoft's advance Patch Tuesday bulletin forecasts three security updates, but doesn't mention fixes for the latest Internet Explorer flaws.

Microsoft customers will get patches for security holes in Windows and Exchange Tuesday, but they may have to wait longer for fixes that address the latest flaws in Internet Explorer.

In the monthly Patch Tuesday preview on its TechNet site, the software giant said it will release three security updates in all -- one critical fix for Exchange and two for Windows, at least one of which will also be critical.

As it does every month, the company will also update its malicious software removal tool and offer a Webcast Wednesday so customers can ask questions or air concerns.

Microsoft will also release two non-security, high-priority updates via Microsoft Update (MU) and Windows Server Update Services (WSUS). The company didn't say what those updates will address.

"Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released," Microsoft said.

The advance bulletin didn't mention any potential Internet Explorer patches. Microsoft released a super-sized fix for the browser last month, but since then at least three new flaws have surfaced.

The first problem is a race condition that appears when security dialogs are displayed and processed; prompting a user to install and execute an ActiveX control. Attackers could exploit this to manipulate the dialog box and remotely compromise a vulnerable system by convincing a user to visit a specially crafted Web page. Attackers could then install or execute a malicious ActiveX control on the victim's machine.

The second problem is an origin validation error that appears when "mhtml:" URL redirections are handled. Attackers could exploit this to read content and data served from another domain in the context of a malicious Web page, FrSIRT said, adding that fully functional exploit code has been released.

The third problem is caused by an error in how certain sequences of nested "object" HTML tags are processed. Attackers could exploit it to launch malicious code and corrupt system memory.

Microsoft has confirmed it is investigating the flaws, and said the first two would take significant user interaction to exploit.

This article originally appeared on SearchSecurity.com.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close