Microsoft released seven security updates -- two critical and five important -- as part of the June Patch Tuesday. Both critical bulletins address remote code execution vulnerabilities.
One critical update addresses a whopping 59 reported vulnerabilities in Internet Explorer (IE) that could be exploited if end users use IE to view a malicious website. The fix changes the way IE deals with validating permissions, handling objects in memory and negotiating certificates during transport layer security (TLS) sessions. The update affects IE versions 6 through 11 on multiple versions of Windows and Windows Server.
Since a typical Patch Tuesday Internet Explorer update fixes 20-30 vulnerabilities, it's likely that an automation program was used to find and address them, said Wolfgang Kandek, CTO of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, California.
"Somebody did great engineering work [to find vulnerabilities] and handed them all to Microsoft," he said.
The other critical update addresses two vulnerabilities in a graphics component found in multiple versions of Microsoft Lync, Microsoft Office and Microsoft Windows. The vulnerability could be exploited if end users view malicious files or websites. The security update corrects the way Windows handles certain files and the way GDI+ validates certain types of image records.
This vulnerability is not as easy to exploit as the Internet Explorer vulnerabilities,Kandek said.
The important bulletins in this round of Patch Tuesday security updates include fixes for remote code execution, information disclosure, denial of service and tampering vulnerabilities.
One update addresses a remote code execution vulnerability in Microsoft Word, which could be exploited if end users view a malicious file in an affected version of Word. Microsoft says the update fixes the way Office parses certain files and affects supported editions of the Office Compatibility Packet and Word 2007.
If administrators are still running Word 2007, they should prioritize this update over the GDI+ fix, Kandek said.
Lync appears again in a security update to address an important information disclosure vulnerability. The vulnerability could be exploited if end users attempt to join a Lync meeting and click on a malicious URL. The update fixes the way Lync sanitizes and handles content and affects a small number of Lync versions.
A rare tampering vulnerability is also addressed in an important fix for Remote Desktop Protocol (RDP). The vulnerability could be exploited if attackers send malicious packets to a targeted system after gaining access to the network segment with the active RDP session. But the fix applies only under certain conditions. RDP isn't enabled by default on any Windows OS, and systems that don't have RDP enabled aren't at risk, Microsoft said.
Other systems affected by the important security updates include multiple versions of Office and Windows; the complete list of security updates can be found here.
This month's security updates bring the year-to-date total up to 36, a noticeably smaller number than the 51 updates at the same point in 2013.