Article

Microsoft to issue two critical bulletins, SharePoint to remain vulnerable

Robert Westervelt, News Director
Microsoft plans to issue two critical bulletins next week, as part of its monthly patch cycle, repairing vulnerabilities affecting Windows and Office.

The software giant issued its advance notification, Thursday, and

    Requires Free Membership to View

advised customers that the bulletins would not address a serious zero-day vulnerability affecting its SharePoint content management server.

"Windows 7 and Windows Server 2008 R2 customers will be offered the Windows related update but they are not vulnerable in their default configurations," wrote Jerry Bryant, Microsoft's group manager of response communications, in the Microsoft Security Response Center blog.

Bryant warned users of SharePoint not to expect a bulletin addressing the SharePoint zero-day vulnerability in which proof-of-concept code is publicly available. Engineering teams are still working on a patch to repair the vulnerability, he said.

Microsoft issued an advisory last week warning of a cross-site scripting (XSS) vulnerability affecting SharePoint Server 2007 and SharePoint Services 3.0. The vulnerability can be exploited in a browser-based attack and enable an attacker to execute JavaScript code within the vulnerable application.

Last month Microsoft issued 11 bulletins, five critical, repairing 25 vulnerabilities across its product line. In addition to several media handling vulnerabilities, Microsoft fixed a serious Windows Authenticode Verification flaw. Windows Authenticode Verification is a digital signature format used to verify the origin and integrity of software when it is installed on a machine.