Critical holes closed in Microsoft's June Patch Tuesday
Microsoft has released seven security bulletins fixing a total of 27 security holes, 13 of them in Internet Explorer. The rest of the patches affect all currently supported Windows versions, the .NET Framework, Remote Desktop, Lync and Dynamics AX. A patch that had been announced for Visual Basic for Applications has yet to be released.
The most important updates are bundled in the cumulative Internet Explorer patch (MS12-037), which includes fixes for the holes that were targeted by Pwn2Own exploits. Microsoft is the last of the companies to close the exposed holes that were targeted during the Pwn2Own competition; Google and Mozilla fixed their browsers in March. According to Michael Kranawetter, Microsoft's Chief Security Advisor in Germany, the IE patch also affects the Windows 8 Consumer Preview, and therefore Internet Explorer 10.
Another urgent update is MS12-036, which concerns denial of service and remote code execution vulnerabilities in the Remote Desktop features built into all supported versions of Windows. The third critical update affects the .NET Framework (MS12-038). The remaining 4 updates are rated "important" by Microsoft and close code execution bugs in Lync and privilege escalation holes in Dynamics AX and Windows.
No patch has so far been released for the critical hole in Microsoft's XML Core Services that can be targeted via Internet Explorer and Office documents. The vulnerability affects all versions of Windows. Microsoft has released a security advisory and recommends that users apply a "Fix it" solution until a proper patch has been made available. Google says that, on 30 May, it informed Microsoft that this hole is actively being exploited to target Windows systems.
- Microsoft Security Bulletin Summary for June 2012, security advisory from Microsoft.