Microsoft is issuing the second critical patch this month for Internet Explorer, but this time won't stray from its dictum not to support versions that run with Windows XP.
The IE bulletin is ranked critical, and if the vulnerabilities it addresses are exploited, it could result in attackers remotely executing malicious code on victim machines. The patches are available for IE 6 through 11.
The update likely will contain an out-of-band patch issued last week for a zero-day flaw as well as vulnerabilities unearthed during the hacking competition earlier this year at CanSecWest, says Qualys CTO Wolfgang Kandek.
Microsoft included Windows XP in that out-of-band patch despite the fact that XP is officially unsupported by the company. That is not the case with the patches coming out next Tuesday, making this the first time a known flaw affecting XP is going unaddressed.
“Anyone still using XP just got a little less secure – not that they were well off to begin with,” says Ross Barrett, a senior manager of security engineering at Rapid7.
Users of other operating systems who also use IE should expect fixes routinely every Patch Tuesday, says Russ Ernst, the director of product management at Lumension. “The bad guys continue to wage war on what remains one of the most popular browsers so, for organizations that rely on it, IT needs to patch monthly, at a minimum,” he says.
In addition to the IE bulleting, Microsoft is issuing critical patches for SharePoint 2007, 2010 and 2013 as well as Office Online.
Six other bulletins are rated as important, meaning they require users to make an action such as clicking on a link in order to be exploited. They affect Office, most versions of Windows and the .NET framework. “May patch Tuesday, the second patching event of this May, is breaking with the recent trend of lighter than average months,” says Barrett.
Bulletin 3 is a possible remote code execution that hits Office; bulletin 4 is for most versions of Windows. Windows and the .NET framework are covered off in bulletin 5 with an elevation of privilege issue. The sixth and seventh bulletins impact most versions of Windows with elevation of privilege and denial of service issues respectively. The last bulletin addresses a security feature bypass issue in Office.
Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at firstname.lastname@example.org and follow him on Twitter@Tim_Greene.