The month is fresh, which means that Microsoft has a raft of upcoming fixes and patches coming out next Tuesday for its software products. Patch Tuesday is an institution, and one that matters as it helps keeps everyone a bit safer, and hopefully, one step ahead of the digital baddies.
This month’s collection of updates contains some 7 bulletins, which will fix 23 vulnerabilities. Three bulletins are rated as critical, and four as important. This month, Office and Windows are receiving the brunt of the help, which means that you are likely to be impacted by the coming updates.
F**k it, we'll do it live!
Our biggest ever edition of TNW Conference is fast approaching! Join 10,000 tech leaders this May in Amsterdam.
Rapid7 sent TNW a few notes on the coming patches, two points of which we think are important, as they address the ‘critical’ fixes. Now, Microsoft doesn’t reveal exactly what it is fixing, until it unleashes the updates, to prevent people from preemptively correcting their hacks, but this likely what we will see:
Bulletin 1 is a critical vulnerability in Microsoft Office. Since this bulletin is categorized as affecting Microsoft Office it’s safe to say that this is a underlying issue on how it processes data. The vulnerability will likely be able to be exploited by crafting a malicious file that can be opened by any Microsoft Office applications. This is becoming a recurring theme for organizations and end users because it’s primed for phishing attacks. As we’ve learned over the past couple weeks, Mac users need to apply these patches as soon as possible as attackers are targeting them through Microsoft Office vulnerabilities.
Bulletins 2 & 3 are both rated as critical and affect all of Microsoft’s current operating systems, from Windows XP SP3 to Windows Server 2008. This means that all organizations and the entire user base will be affected by these critical bulletins. Bulletin 2 looks as if it can be exploited by crafting malicious Microsoft Office files, or perhaps crafting a malicious web page that would be processed by the vulnerable software, which is also likely the case with bulletin 3. Both of these critical bulletins would result in remote code execution if compromised.
As we do every month, when the patches land, we’ll bring you their details.