Microsoft has released six security bulletins for this month's Patch Tuesday, fixing three critical vulnerabilities in Internet Explorer, JScript and Windows Shell.
The MS15-106 update is listed as critical for IE 7, 8, 9, 10 and 11 on affected Windows clients, and could allow an attacker to use remote code execution if a user views a specially crafted webpage using the browser.
"Remote code execution vulnerabilities exist when IE improperly accesses objects in memory. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user," explained the Microsoft advisory.
"An attacker could host a specially crafted website that is designed to exploit these vulnerabilities through IE, and then convince a user to view the website."
A separate critical update, MS15-108, for JScript and VBScript also addresses problems that could lead to remote code execution in Windows systems.
"An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user," warned the advisory.
"If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights."
The MS15-108 update is rated critical for affected versions of the JScript and VBScript on supported editions of Windows Vista, Server 2008, and Server Core installations of Windows Server 2008 R2.
Meanwhile, update MS15-109 fixes vulnerabilities in Windows Shell that leave a system open to remote code execution, and is marked critical for all versions of Windows.
"For an attack to be successful, this vulnerability requires that a user opens a specially crafted toolbar object in Windows. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted tool bar object to the user and convincing the user to open it," stated the advisory.
Microsoft noted that it has no evidence to suggest that this vulnerability has been exploited in the wild, despite being listed as critical.
The three remaining bulletins, MS15-107, MS15-110 and MS15-111, fix vulnerabilities in the Edge browser, Office and Windows Kernel.
In a separate bulletin, Microsoft released an update for the .NET Framework that "disables RC4 in Transport Layer Security through the modification of the system registry".
Microsoft warned: "Use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions."
RTX 280 Ti will come with 11GB of fast GDDR6 video RAM with a 352-bit memory bus offering 616Gbps
The scale of jobs lost to automation will be at least as large as those in the first three industrial revolutions
Latest Tesla news: Tesla stock price tanks amid reports of 'widening probe' by SEC and claims the base Model 3 loses money
SEC 'probe' takes its toll on Tesla as new research suggests that Tesla loses $6,000 on every $35,000 Model 3
10nm Cannon Lake Core i3-8121U CPUs make a rare outing with Intel's NUC mini PC