Microsoft is back in fine form this month with nine upcoming advisories affecting Internet Explorer, the entire Microsoft range of supported operating systems, plus Office, SharePoint Server and a very specific add on module to their development tools calls “ASP .NET MVC”.
Three of the advisories are rated Critical, Microsoft’s most severe designation based on the impact of exploitation and the likelihood of an exploit emerging, including the IE issue and two issues affecting virtually every supported Operating System. These will be the top patching priorities, probably with the IE issue being the most at risk for exploitation.
Behind the three critical, there are four issues marked as Important, enabling either remote code execution or elevation of privilege. Again, most Windows versions are affected, plus in one case, Office and SharePoint. These will be the second patching priority.
Rounding out the group is a Moderate elevation of privilege issue affecting Windows and Office, this issue seems to be related to the Office Japanese language input extensions and does not apply to Windows 8 or later. The issue in ASP .NET MVC is a security feature bypass and due to the relatively limited exposure of that feature should be addressed on an, if and when basis.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.