Windows and Internet Explorer vulnerabilities that could allow remote code execution (RCE) will take precedence this Patch Tuesday, according to an announcement from software maker Microsoft.
On Thursday, the tech giant released an advance notification for its August security update. Microsoft plans to release nine security bulletins in total that entail two “critical” patches for RCE bugs in Windows and IE and seven “important” bulletins for other RCE issues in Office; elevation of privilege vulnerabilities in Windows, SharePoint Server and SQL Server software; and security feature bypass issues impacting Windows and the .NET Framework.
Due out next Tuesday, Bulletin 1 is expected to be a cumulative fix for IE (versions 6 through 11 on Windows 8.1 and RT).
In a Patch Tuesday preview blog post, Wolfgang Kandek, CTO of Qualys, wrote on Thursday that the easiest way to exploit the RCE bugs in IE would be for an attacker to lure users to compromised websites.
“An attacker would exploit this vulnerability on your users through a malicious webpage,” Kandek told administrators. “These pages can be on sites that are either set up specifically for this purpose, requiring him or her to attract your users to the site or are on sites that are already under control of the attacker with an established user community, such as blogs and forums,” he wrote.
The other critical update, Bulletin 2, specifically impacts Windows 7 and Windows 8, as well as the Media Center TV pack for Vista, Kandek continued.
“I believe it must be address bugs in the graphics processing pipeline, most likely in an online video component,” he explained of the Windows update. “An attacker would have to trick you into opening a file. Microsoft's rating of ‘critical' indicates that your users can trigger this bug by simply surfing to a malicious webpage, so no special interaction is required.”