Microsoft patch day sees release of 16 patches, fixing 34 vulnerabilities
Microsoft's June patch day sees the release of a total of 16 patches, relating to 34 security vulnerabilities. Nine of the patches fix critical security vulnerabilities which could be exploited for remote code injection; seven more are classed as important. Administrators and users are advised to act quickly. There are security fixes for all supported versions of Windows, Internet Explorer (including the first patch for version 9), Office, .NET, SQL, Visual Studio, Silverlight and ISA.
Bulletin MS11-050 describes a whole series of fixes for security vulnerabilities which could allow Internet Explorer users (all versions including version 9) to pick up malicious code when visiting an infected web site. The bugs include an error in the way link properties are processed. Users could also be infected with malicious code when visiting a web page containing crafted WMF images.
This patch day also puts an end to cookiejacking – where an attacker who is able to discover a potential victim's Windows user name can read all of that user's cookies. Bulletin MS11-052 is also classed by Microsoft as critical. A bug in the way VML format vector graphics are processed allows attackers to execute malicious code. All Internet Explorer versions up to and including 8 are affected.
Another patch fixes a critical vulnerability in the SMB client in all Windows versions. Using a crafted SMB command, an attacker could gain full control of a victim's computer. The attacker merely needs to persuade the victim to connect to a specific SMB server, by, for example, sending them a link in an email.
Microsoft has also fixed a critical Windows error which arises when establishing a connection to a DFS server. Like the SMB vulnerability, this weakness can be exploited by a maliciously configured server to compromise a client. A patch for all versions of Excel fixes a number of vulnerabilities which could allow infected Excel files to inject malicious code. The patches are being made available to users via Windows Update.