Microsoft is readying 10 patches to address 34 vulnerabilities as part of next week's monthly security update.
Two of the patches are expected to address publicly known, zero-day issues involving SharePoint and Internet Explorer (IE), according to Microsoft.
The SharePoint bug could allow hackers to elevate privileges and steal sensitive data. The flaw was disclosed to Microsoft in early April by Swiss security firm High-Tech Bridge. On April 29, High-Tech Bridge, whose policy is to go public with bug details two weeks after notifying the vendor, issued an advisory, which included a link to a proof-of-concept code that exploits the vulnerability. Microsoft has said it is not aware of any in-the-wild attacks targeting the vulnerability. It has released its own advisory, offering suggested workarounds, such as restricting access to the SharePoint help.aspx XML files.Meanwhile, the IE zero-day was disclosed in February, according to a Microsoft advisory, and can result in information disclosure. The bug can be exploited on machines running Windows XP or those that have disabled IE's Protected Mode. A successful exploit could allow an attacker to access files containing an already-known name and location. Users have been encouraged to upgrade to IE 8 to avoid the vulnerability.
In total, Microsoft on Tuesday plans to release three bulletins rated "critical" — two impacting Windows and the other affecting IE — and seven rated "important" — four for Windows, two for Offfice and one for both Windows and Office.
Microsoft is again using the monthly update to remind customers that it plans to end support for Windows 2000 and Windows XP SP2 on July 13.
"Customers should upgrade to either a supported operating system or the latest service pack in order to keep receiving necessary security updates," Jerry Bryant, group manager of response communications, wrote in a blog post Thursday.