Two of the eight bulletins scheduled for Microsoft's upcoming Patch Tuesday are deemed critical, but none will address flaws in Windows XP, the still widely used operating system that lost support in April.
Three bulletins address remote code execution vulnerabilities, but only two are deemed critical, meaning the bugs can be exploited to allow for code execution without any user interaction.
One remote code execution impacts Internet Explorer (IE) 6 through IE 11 on all Windows platforms, according to a notification posted on Thursday, which explains that the other remote code execution impacts SharePoint Server 2007, 2010 and 2013.
The third remote code execution, which is deemed important, impacts Microsoft Office 2007, 2010 and 2013. In a statement emailed to SCMagazine.com on Thursday, Wolfgang Kandek, CTO with Qualys, said that the attack vector involves a malicious document that the victim has to open.
“Attackers would use a document, like in a social engineering attack, which aims at convincing the user to open the document, for example, by making it appear as coming from the user's HR department, or promising information about a subject of interest to the user,” Kandek said.
Of the remaining bulletins, all of which are deemed important, three address elevation of privileges in Windows and .NET Framework, one addresses a denial-of-service issue in Windows, and the final one addresses a security feature bypass in Microsoft Office.
Despite dropping support in April, Microsoft included Windows XP in an unscheduled patch, released early this month, to address a critical zero-day remote code execution vulnerability affecting IE 6 through IE 11. The bug was being exploited in a campaign known as Operation Clandestine Fox.
[An earlier version of this story incorrectly referred to the bulletins as individual bugs, vulnerabilities or flaws].