News Stay informed about the latest enterprise technology news and product updates.

Critical security patches coming for Windows, Exchange

Microsoft's advance Patch Tuesday bulletin forecasts three security updates, but doesn't mention fixes for the latest Internet Explorer flaws.

Microsoft customers will get patches for security holes in Windows and Exchange Tuesday, but they may have to wait longer for fixes that address the latest flaws in Internet Explorer.

In the monthly Patch Tuesday preview on its TechNet site, the software giant said it will release three security updates in all -- one critical fix for Exchange and two for Windows, at least one of which will also be critical.

As it does every month, the company will also update its malicious software removal tool and offer a Webcast Wednesday so customers can ask questions or air concerns.

Microsoft will also release two non-security, high-priority updates via Microsoft Update (MU) and Windows Server Update Services (WSUS). The company didn't say what those updates will address.

"Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released," Microsoft said.

The advance bulletin didn't mention any potential Internet Explorer patches. Microsoft released a super-sized fix for the browser last month, but since then at least three new flaws have surfaced.

The first problem is a race condition that appears when security dialogs are displayed and processed; prompting a user to install and execute an ActiveX control. Attackers could exploit this to manipulate the dialog box and remotely compromise a vulnerable system by convincing a user to visit a specially crafted Web page. Attackers could then install or execute a malicious ActiveX control on the victim's machine.

The second problem is an origin validation error that appears when "mhtml:" URL redirections are handled. Attackers could exploit this to read content and data served from another domain in the context of a malicious Web page, FrSIRT said, adding that fully functional exploit code has been released.

The third problem is caused by an error in how certain sequences of nested "object" HTML tags are processed. Attackers could exploit it to launch malicious code and corrupt system memory.

Microsoft has confirmed it is investigating the flaws, and said the first two would take significant user interaction to exploit.

This article originally appeared on

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.