Microsoft has published the “Microsoft Security Bulletin Advance Notification for June 2014” in which are released seven security Bulletins addressing different vulnerabilities in the company’s products.
The notification includes two critical Remote Code Execution vulnerabilities affecting the products Microsoft Windows, Internet Explorer, MS Office and Lync, the remaining flaw are classified as “Important”.
Microsoft announced that the update will be released this Tuesday, my readers remember that the critical vulnerability in the Internet Explored was disclosed in May and raised numerous controversy within the IT community. According many sources, Microsoft had kept hidden the flaw since October 2013, this means that in this period users were exposed to the cyber threats able to exploit the flaw in the popular browser.
The curious thing is that after six months of silence of Microsoft, probably attributable to a difficulty to fix the bug, the company has completed the development of a patch in just 3 weeks (more or less).
As suggested by Microsoft the critical Bulletins (ID 1 and ID2) must be immediately fixed, the first one will address a the Remote Code Execution vulnerability affecting all versions of Internet Explorer.
The vulnerability reported in the Bulletin 1 is considered the most critical vulnerability, all server versions of Windows are affected by this vulnerability, but with a low severity rate.
The vulnerability in Microsoft Internet Explorer 8 is a remote code execution and could allow an attacker to remotely execute arbitrary code through a bug in CMarkup objects as explained on ZDI (Zero Day Initiative). ZDI has reported the flaw to Microsoft on 10/11/2013 but the company confirmed reproduction only on 02/10/2014, but it hasn’t issued any patch neither it has informed its customers.
In a typical attack scenario, a hacker just have to deploy a malicious content on a compromised websites and persuade victims to visit it, for example though a spear phishing attack.
Also the second Bulletin is related to a critical Remote Code Execution vulnerabilities in Windows and Office products affecting all versions of Windows including Server Core, Microsoft Live Meeting 2007 Console and all versions of Microsoft Lync, excluding the Lync Server.
(Security Affairs – Microsoft, remote code execution vulnerability)