Microsoft has pledged to release critical security fixes for its Internet Explorer (IE) and SharePoint server services, as a part of its May Patch Tuesday update.

The IE and server fixes are the only two out of the eight due for release next week to be listed as critical.

Rapid7 senior manager of security engineering Ross Barrett said the fixes are critical as they could theoretically be exploited remotely by hackers.

"The patching priority is definitely the two critical issues, one of which seems to affect numerous components of SharePoint Server," he said.

"This may prove to be a legitimate remotely exploitable issue, and definitely where I would focus my remediation resources first.

"The omnipresent critical patch in IE is a close second in terms of importance, from the advance notice point of view."

Barrett added that the IE flaw is particularly dangerous as it also affects Microsoft's unsupported Windows XP operating system.

"The IE critical is the first that clearly would have applied to Windows XP, but for which a patch is not available," he said.

"IE 6, 7 and 8 are vulnerable on Windows 2003 SP2. This would historically have mapped to the same scope of XP patches, but not this time. Anyone still using XP just got a little less secure - not that they were well off to begin with."

Microsoft officially cut support for Windows XP in April. The firm originally backtracked on its promise to stop releasing security updates for Windows XP when a separate zero-day vulnerability was discovered in IE earlier in May.

The remaining six updates due to arrive next week relate to Microsoft's Office and core Windows code and are rated by Microsoft as important. Barrett said the lack of firm information about the vulnerabilities makes gauging the danger they pose difficult.

"There are important issues applying to all supported versions of Windows and Office. How important these are will become clearer when the advisories are released," he said.

V3.co.uk