A fairly lightweight Patch Tuesday arrives in May, but there are critical fixes for Internet Explorer
Two of the eight bulletins announced by Microsoft have been rated critical, as they could allow for remote code execution, whilst the remaining six were rated important.
Internet Explorer patches from Microsoft
The first critical flaw covers Internet Explorer, including all currently supported versions from IE6 onwards, and should include a fix for a fresh flaw (a so-called “zero-day”) uncovered last month. Microsoft had already released an out-of-band patch, but the latest update will cover those who didn’t install the fix.
The second serious vulnerability lies in Sharepoint server 2007, 2010 and 2013.
Although the third bulletin was only ranked “important”, it addresses a weakness in Office 2007, 2010 and 2013 which could let hackers execute code remotely. Such an attack would rely on some social engineering, having the user open an attachment.
The remaining patches are for Windows, .Net and Office. A Denial-of-Service condition in Server 2008 R2 and 2012 R2 will also be addressed.
“The patching priority is definitely the two critical issues. One of which seems to affect numerous components of SharePoint Server,” said Ross Barrett, senior manager of security engineering at Rapid7.
“This may prove to be a legitimate remotely exploitable issue, and definitely where I would focus my remediation resources first. The omnipresent critical patch in Internet Explorer is a close second in terms of importance, from the advance notice point of view.”
Windows XP support was dropped as planned in April. No more patches will be applied to the operating system through official Microsoft channels.
A report from Microsoft last week indicated Windows XP had lower infection rates than Vista or Windows 7 in the final quarter of 2013, back when the old OS was still supported.
What do you know about Internet security? Find out with our quiz!