Microsoft has released six security bulletins for this month's Patch Tuesday, fixing three critical vulnerabilities in Internet Explorer, JScript and Windows Shell.
The MS15-106 update is listed as critical for IE 7, 8, 9, 10 and 11 on affected Windows clients, and could allow an attacker to use remote code execution if a user views a specially crafted webpage using the browser.
"Remote code execution vulnerabilities exist when IE improperly accesses objects in memory. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user," explained the Microsoft advisory.
"An attacker could host a specially crafted website that is designed to exploit these vulnerabilities through IE, and then convince a user to view the website."
A separate critical update, MS15-108, for JScript and VBScript also addresses problems that could lead to remote code execution in Windows systems.
"An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user," warned the advisory.
"If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights."
The MS15-108 update is rated critical for affected versions of the JScript and VBScript on supported editions of Windows Vista, Server 2008, and Server Core installations of Windows Server 2008 R2.
Meanwhile, update MS15-109 fixes vulnerabilities in Windows Shell that leave a system open to remote code execution, and is marked critical for all versions of Windows.
"For an attack to be successful, this vulnerability requires that a user opens a specially crafted toolbar object in Windows. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted tool bar object to the user and convincing the user to open it," stated the advisory.
Microsoft noted that it has no evidence to suggest that this vulnerability has been exploited in the wild, despite being listed as critical.
The three remaining bulletins, MS15-107, MS15-110 and MS15-111, fix vulnerabilities in the Edge browser, Office and Windows Kernel.
In a separate bulletin, Microsoft released an update for the .NET Framework that "disables RC4 in Transport Layer Security through the modification of the system registry".
Microsoft warned: "Use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions."
Windows 10 Chinese Government Edition completed by Microsoft
And even when IoT projects do get completed, one-third aren't considered a success
So, the Frontier Edition launches at the end of June, the Radeon RX Vega in July - and the Ryzen 3 straight after?
From accidentally selling sensitive data on eBay, to forgetting that security solutions needs to be 'on' to work, we've got the full rundown of the worst security gaffes ever