Microsoft will issue nine bulletins, three rated “critical,” addressing 16 flaws across its product line as part of its July 2012 Patch Tuesday. As part of the update, Microsoft could roll out a patch addressing the XML Core Services zero-day flaw, which surfaced last month.
In its advance notification issued today, the software giant said the “critical” bulletins affect Windows and Internet Explorer 9. In addition, it plans updates to repair coding errors in Office, SharePoint server and Visual Basic for Applications.
Active attacks targeting XML Core Services
The advance notification does not indicate whether XML Core Services would be affected by the July updates. Microsoft issued an advisory last month warning users of attacks targeting an XML Core Services zero-day flaw.
Microsoft XML Core Services processes and converts XML to HTML for display. Attacks can target the coding error through drive-by attacks or trick users through a phishing campaign. Once an attacker is successful they are granted the same user rights as the victim and can access systems while fully authenticated, Microsoft said.
The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007. The advisory includes a workaround that can be used until the investigation is complete and a permanent patch is released.
Since the advisory, security experts say attacks targeting the flaw have increased. Graham Cluley outlined an attack using the flaw targeting the website of a European aeronautical parts supplier.
The bulletins are scheduled to be released July 10.