14 DAY TRIAL // Microsoft is prepping three security bulletins for next Tuesday, that cover vulnerabilities in Microsoft Office and Forefront Unified Access Gateway, but don't address the recently reported zero-day Internet Explorer vulnerability.
Two bulletins, one of which is rated critical, contain patches for remote code execution vulnerabilities in Office components.
The critical impact would suggest that exploitation can be achieved without any user interaction, which is relatively rare for a vulnerability in Office.
This critical rating only applies to Office 2007 and 2010 (32- and 64-bit), the same bulletin only being rated as Important for Office XP, 2003, and Office for Mac 2011.
Therefore, it would fair to assume that the critical arbitrary code execution vulnerability is located in a component only found in Office 2007 and 2010.
Meanwhile, the second security bulletin, rated as important, contains patches for flaws in Microsoft Office PowerPoint 2002 and 2003, as well as Microsoft PowerPoint Viewer .
Finally, the third one, also rated as important, covers security issued in Forefront Unified Access Gateway 2010, a VPN and remote access solution for corporate networks.
Unfortunately, there was not enough time for Microsoft to also include a fix for the latest Internet Explorer zero-day in this month's Patch Tuesday.
This new IE vulnerability was revealed by the company three days ago after being discovered in the wild and can be exploited to execute arbitrary code by tricking users into visiting a maliciously crafted Web page.
However, so far it was only observed as part of a limited attack detected by Symantec, which targeted key people in various organizations.
The pages and servers involved in the attack have been cleaned, but if more widespread attacks will pop up, the company will be forced to push an out-of-band update.
According to a post on the Microsoft Security Response Center (MSRC) blog, the upcoming security bulletins will patch a total of 11 vulnerabilities.