Microsoft announced today in an advanced patch Tuesday notification that it will ship just five bulletins in the June edition of patch Tuesday.
Only one bulletin received the software giant’s most sever ‘critical’ rating: it will fix a vulnerability in Windows and Internet Explorer that could allow an attacker to execute code remotely. The remaining four bulletins received the next most severe ‘important’ ratings and will fix information disclosure, denial of service, and elevation of privilege bugs in windows as well as a remote code execution flaw in Internet Explorer.
Ross Barrett, senior manager of security engineering at Rapid7, told Threatpost via email that he would be interested to see whether or not Microsoft fixes the kernel vulnerability that Google’s Tavis Ormandy recently disclosed publicly on the Full Disclosure mailing list. Ormandy’s decision to disclose the bug in this way stirred up controversy late last month, but the information security engineer from Google claimed that he only released the exploit code after the code had already been made available by another group.
Barrett said that Microsoft is slow to patch bugs for which there is no evidence of in-the-wild-exploitation. However, he also claims that the press surrounding the Ormandy incident is just the sort thing that has spurred the company to patch such bugs more quickly in the past. If the Redmond-based tech giant is planning a fix, he claims, it must be the fourth bulletin that is set to fix a privilege elevation vulnerability in Windows, though he also said that there has been a “conditionthat fits that profile, more or less, every month for the past year.”
Barrett ranked the only critical Internet Explorer bug as the highest priority patch and said that the second highest priority should be the remote code execution bug in Office.
Microsoft will post the official bulletins and host a webcast to address customer questions regarding the patches this coming Tuesday, June 12, at 1 PM EDT.