Microsoft Patch Tuesday Likely To Target XML Bug, IE9 Vulnerabilities


With Microsoft Patch Tuesday right around the corner, the Redmond, Washington-based vendor has issued its initial alert that signals the types of security fixes that will be forthcoming. This month, the advisory
specifies a total of nine bulletins, three of which are listed as critical with the remaining six listed as important.

“I expect them to fix an XML problem that they identified last month," said Wolfgang Kandek, CTO of Qualys. “This is in response to a zero-day attack that is already being used in the wild. Last Patch Tuesday, they provided a workaround. And while we recommend that people use the workaround, I'm expecting a very real patch coming out on Tuesday.”

[Related: RDP, IE Security Fixes Top June Patch Tuesday]

But, Marcus Carey, security researcher at Rapid7, is not convinced that the XML patch is ready.

“It's not entirely clear if they're going to actually patch that, yet,” he said. “That's kind of significant news because that vulnerability has been being exploited in the wild for about a month now. And, I’m not sure that the documentation I’m seeing so far exactly matches the circumstances. And from what I understand, this XML bug is going to be hard to patch.”

In another critical bulletin, Carey points to an Internet Explorer bug impacting IE 9. “That's a newer type of bug, because it doesn't affect any of the predecessors,” he said.

“This one is particularly interesting because they updated all versions of Internet Explorer last month, and Microsoft normally does that only every other month,” said Kandek. “And, it involves Internet Explorer 9, which is their flagship and is the most secure. So, it must've been something directed toward that particular version of the browser.”

Bulletin No. 4 and Bulletin No. 8 are designed to address Microsoft Office bugs. “Anytime we see those, the primary attack vectors tend to be spear phishing,” explained Carey. “So we expect those will be pretty important. Numbers four, five and six tend to be more trivial than the more critical ones. It's more than likely that the user has to interact with it in order to make the bug operative.”

PUBLISHED JULY 5, 2012