Microsoft’s Patch Tuesday has patched two critical security flaws, which could leave users vulnerable if targeted by social engineering.
The release comes a month after the biggest Patch Tuesday of the year, which took aim at 25 bugs. Today’s update addresses two bugs; one a vulnerability in Microsoft Visual Basic for Applications, and the other a vulnerability impacting Outlook Express, Windows Mail and Windows Live Mail.
Both vulnerabilities are rated critical and can leave users open to remote code execution by attackers.
“I’ve put the Visual Basic for Applications (VBA) vulnerability first on my list,” said Joshua Talbot, security intelligence manager at Symantec Security Response. “Both vulnerabilities require social engineering to exploit, but the VBA vulnerability requires less action from a user. For instance, an attacker would simply have to convince a user to open a maliciously crafted file – likely an Office document – which supports VBA and the user’s machine would be compromised. I can see this being used in targeted attacks, which are on the rise.”
The other vulnerability is caused when a common library used by Outlook Express and Windows Mail insufficiently validates network data before using that data to calculate the necessary size of a buffer.
“An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted response to a client initiating a connection to a server under his control using the common mail protocols POP3 and IMAP,” Microsoft warned.
Missing from today’s patch lineup is a fix for a cross-site scripting flaw affecting Office SharePoint 2007 and Windows SharePoint Services 3.0 first reported April 28. The SharePoint vulnerability permits escalation of privileges within the SharePoint site. If successfully exploited, the bug allows an attacker to run commands against the SharePoint server with the privileges of the compromised user.
Microsoft recommends users concerned about the issue implement the workaround contained in the advisory issued 29 April.
Most people in the United States view TikTok as a Chinese influence tool a poll…
UK regulator confirms it is investigating whether OnlyFans is doing enough to prevent children accessing…
Dismissed staff file complaint with a US labor board, and allege Google unlawfully terminated their…
Elon Musk dismisses two senior Tesla executives, plus the entire division that runs Tesla's Supercharger…
Eight newspaper publishers in the US allege Microsoft and OpenAI used their millions of their…
US judge sentences Binance founder, Changpeng Zhao, to four months in prison for ignoring money…