July Patch Tuesday Expected to Include Fix for XML Zero-Day Flaw
Posted 07/06/2012 | by Pulkit Chandna



Microsoft today issued an advance notification of this month’s “Patch Tuesday” security updates for Windows and other software developed by it. According to its security bulletin advance notification for July 2012, Microsoft will deliver three “critical” and twice as many “important” security updates next Tuesday. Hit the jump for more.

The coming security updates will address a number of vulnerabilities across Windows, Office, Internet Explorer 9, Microsoft Developer Tools and Microsoft Server Software. A fix for the XML zero-day flaw (CVE-2012-1889) that Microsoft disclosed last month is widely expected to be among the updates scheduled for next week. Wolfgang Kandek, CTO of security firm Qualys, expects Bulletin 1 to address this flaw--a temporary fix was issued last month.

“If Microsoft doesn't patch this bug it's going to cause some heartburn for IT security teams,” feels Andrew Storm, nCircle's Director of Security Operations. “We've already seen reliable reports that the exploit for this bug has been included in several popular attack tool kits.”

According to Microsoft, this vulnerability in Microsoft XML Core Services could allow remote code execution if an Internet Explorer user visits a specially-crafted malicious website. “An attacker would have no way to force users to visit such a website,” reads Microsoft’s security advisory on the bug. “Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.”