Microsoft customers will get patches for security holes in Windows and Exchange Tuesday, but they may have to wait...
longer for fixes that address the latest flaws in Internet Explorer.
In the monthly Patch Tuesday preview on its TechNet site, the software giant said it will release three security updates in all -- one critical fix for Exchange and two for Windows, at least one of which will also be critical.
Microsoft will also release two non-security, high-priority updates via Microsoft Update (MU) and Windows Server Update Services (WSUS). The company didn't say what those updates will address.
"Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released," Microsoft said.
The first problem is a race condition that appears when security dialogs are displayed and processed; prompting a user to install and execute an ActiveX control. Attackers could exploit this to manipulate the dialog box and remotely compromise a vulnerable system by convincing a user to visit a specially crafted Web page. Attackers could then install or execute a malicious ActiveX control on the victim's machine.
The second problem is an origin validation error that appears when "mhtml:" URL redirections are handled. Attackers could exploit this to read content and data served from another domain in the context of a malicious Web page, FrSIRT said, adding that fully functional exploit code has been released.
The third problem is caused by an error in how certain sequences of nested "object" HTML tags are processed. Attackers could exploit it to launch malicious code and corrupt system memory.
Microsoft has confirmed it is investigating the flaws, and said the first two would take significant user interaction to exploit.
This article originally appeared on SearchSecurity.com.