Microsoft will ship 10 bulletins in the May edition of Patch Tuesday. The company considers just two of the patches critical, one of which supplements the currently available “Fix it” tool that resolved the IE zero-day vulnerability exploited recently in a watering-hole attack targeting the U.S. Department of Labor.
The critical patches address that and other vulnerabilities in Microsoft Windows and Internet Explorer that could give an attacker the ability to execute code remotely.
The remaining important patches will mend a denial of service hole in Windows, a spoofing issue in that and the .NET framework, a remote code execution bug in Lync, two remote code execution flaws and one information disclosure problem in Office, an information disclosure vulnerability in Windows Essentials, and an elevation of privilege defect in Windows.
Wolfgang Kandek, the CTO of Qualys Inc., writes on his blog that systems administrators should prioritize the IE zero-day vulnerability that enabled the Department of Labor hack and the other remote code execution flaws.
Kandek says that the second bulletin addresses the IE 8 zero-day mentioned above, while the first bulletin provides fixes for the IE vulnerabilities made public in the Pwn2Own contest at CanSecWest conference in March.
The Tuesday release will also include patches for Adobe and a new version of Reader. Most importantly, Adobe is working on a fix for a recent ColdFusion zero-day that should be ready for shipment on Tuesday.
Microsoft will release the patches on Tuesday, replacing the advanced notification bulletins on their Security TechCenter webpage.