Microsoft To Fix Flaws In IE, SharePoint In 10-Patch Release


Microsoft plans to release 10 patches -- three critical -- repairing 34 vulnerabilities, for its June release, including ones that address a critical flaw in Internet Explorer and an important vulnerability in SharePoint server.

Altogether, three of the 10 Microsoft "Patch Tuesday" security bulletins -- set to be released Tuesday June 8 -- are rated with the highest severity ranking of "critical," indicating that the flaws enable attackers to launch remote code execution attacks to take complete control of a victim's PC.

Meanwhile, six of the impending security patches affect Windows, two of which carry a "critical" rating, while two of the patches affect Microsoft Office.

Included in the June patch load is a fix for a publicly reported critical vulnerability in multiple versions of IE, first reported in February, occurring when content is forced to render incorrectly for local files and subsequently exposes information to malicious Websites.

If exploited, the critical IE flaw enables attackers to access files from users who are running a version of IE not deployed in Protected Mode, including IE 5, IE 6, IE 7 and IE 8 supported on various editions of Windows, including Windows 2000, Server 2003 and Windows XP.

Attackers could infect victims by enticing users to view a malicious Website, often by embedding a specially crafted link in an e-mail or social networking message as part of a social engineering ploy. Attackers could also compromise third-party or user-provided content on a legitimate site in an attempt to infect all visitors.

Also included in this month's release is a fix for a vulnerability ranked as "important" in Microsoft SharePoint Service 3.0 and Microsoft Office SharePoint Server 2007, which could enable an attacker launch malware that would give them escalated privileges within the SharePoint site itself, as opposed to within the workstation or sever environment.

Paul Henry, security and forensic analyst for security company Lumension, warned IT administrators that the June patch load was hefty and would require some scrutiny to prioritize their installation.

"The impact will be felt enterprise-wide, with bulletins covering a large portion of Microsoft's range of operating systems and Windows and Office products," he said in a an e-mail, "so it is strongly suggested that IT administrators plan ahead and prioritize this patch load as soon as possible."