Microsoft to fix holes in Windows, Office
But fix for SharePoint cross-site scripting hole will not be part of these Patch Tuesday fixes, Microsoft says.
Microsoft on Tuesday will issue two critical bulletins that will fix vulnerabilities in Windows and Office, which if exploited successfully, could allow a remote attacker to take control of the computer, the company said Thursday.
The bulletins, part of the company's monthly Patch Tuesday fixes, affect Windows 2000, XP, Vista, Windows 7, Server 2003 and Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, and Microsoft Visual Basic for Applications and Visual Basic for Applications software development kit. Windows 7 and Server 2008 R2 customers are not vulnerable in their default configurations, however, the company said in a post on the Microsoft Security Response Center (MSRC) blog.
Absent from the Patch Tuesday's bulletins, however, will be a fix for a vulnerability in SharePoint Services 3.0 and SharePoint Server 2007 that was disclosed last week and which could lead to a cross-site scripting attack via the browser. Proof of concept exploit code has been published.
"Our teams are still working on an update for that issue," Jerry Bryant, group manager for response communications at the MSRC wrote in the post. "In the meantime, we recommend customers review the advisory and apply the workarounds."
Meanwhile, Microsoft said support for Windows 2000 and XP SP2 will end after July 13 and customers should upgrade to a supported operating system or the latest service pack to continue receiving security updates.