Microsoft this month released some 34 security fixes spread across a range of its core products including Windows Server 2008, Windows Server 2008 R2, Office 2010 and Internet Explorer.
Nine of the vulnerabilities have the maximum severity rating of "critical" with seven rated as "important." Of the 16 bulletins released, two have to do with denial of service vulnerabilities, two for information disclosure flaws and two others for escalation of privilege.
Thirteen of the 16 bulletins address operating systems, with several of the updates affecting core installations. Among the most critical security fixes affecting Windows include ones to resolve:
- a vulnerability in Windows Object Linking and Embedding (OLE) automation that could allow remote code execution if users visit a web site containing Windows Metafile images;
- a vulnerability in .NET and Silverlight that could allow remote execution on a client system if users views a Web page using a browser that runs XAML browser applications;
- resolves a vulnerability that could allow remote code execution if a user visits a network share containing a OpenType font;
- a vulnerability in Microsoft's Distributed File System that could allow remote code execution when attackers send a response to a client-initiated DFS request.
One of the issues Microsoft is addressing with the June updates is "cookiejacking" which allows an attacker to steal cookies from a user’s computer and access websites where an end user had logged in. This issue is being addressed largely in the Internet Explorer (IE) bulletins.
Two of the bulletins classified as critical stitch up holes in Internet Explorer versions 6 through 9, according to Microsoft. One security update for IE resolves 11 reported vulnerabilities, according to the company, the most severe of which could allow a remote attacker to gain the same user rights as the local user.
Another update, for both Internet Explorer and Windows, patches a vulnerability in Microsoft's Vector Markup Language The latter update is deemed critical for Internet Explorer versions 6, 7 and 8 on Windows clients. The company said version 9 is not affected.
You can follow SearchWindowsServer.com on Twitter @WindowsTT.
Let us know what you think about this story; email Ed Scannell at firstname.lastname@example.org.