Microsoft’s ‘Patch Tuesday’ security fixes bypass XP

Microsoft is releasing fixes for eight bugs on Tuesday, May 13, two of them rated “critical,” according to an article in SC Magazine. However none of the bugs will be addressed in Windows XP, which is still widely used although Microsoft ended support for it last month.

Three remote code execution vulnerabilities are being patched. Two of the patches are given a critical rating because the bugs they address can be exploited to allow code execution without user input. One of the two affects Internet Explorer versions 6 through 11 on all Windows platforms. The other impacts SharePoint Server 2017, 2010 and 2013.

The third remote code execution vulnerability is rated as “important” and affects Microsoft Office 2007, 2010 and 2013. Wolfgang Kandek, CTO of Qualys, told SC Magazine that the vulnerability enables attacks via a malicious document that the user is required to open.

“Attackers would use a document, like in a social engineering attack, which aims at convincing the user to open the document, for example, by making it appear as coming from the user’s HR department, or promising information about a subject of interest to the user,” Kandek said.

While Microsoft ended support for Windows XP in April, it did include the operating system in an unscheduled patch at the beginning of this month, a move that surprised many observers. The patch fixed a critical zero-day remote code execution vulnerability affecting IE 6 through IE 11. The bug leveraged an Adobe Flash exploitation technique to enable attackers to execute arbitrary code on a victim’s browser.

Microsoft is also releasing its final draft security bulletins dealing with the latest threats. It will will host a webcast to address customer questions about the bulletins on Wednesday, May 14 at 11:00 a.m. Pacific Time. Users can register here.

Other than the remote code execution vulnerabilities, three of the bugs being patched allow elevation of privilege, one enables denial of service and the eighth is a security feature bypass.

Microsoft (Nasdaq: MSFT) is also releasing an updated version of the Microsoft Windows Malicious Software Removal Tool.

Andrew Brooks
Andrew Brooks
Andrew Brooks is managing editor of IT World Canada. He has been a technology journalist and editor for 20 years, including stints at Technology in Government, Computing Canada and other publications.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web