The two flaws, along with their proof-of-concept (PoC) code, were published Tuesday to the Full Disclosure mailing list, according to the SANS Internet Storm Center.
The first flaw is located in the use of HTA applications and could be exploited to trick a user into opening a malicious file, which has to be accessible through server message block or a remote site, according to SANS’ advisory.
"The currently available version of PoC that was published is limited in that it requires the user to double click on an icon to execute potentially malicious payload, but we can expect to find creative use of this in the wild very soon," read the advisory posted on the Internet Storm Center website attributed to researcher Bojan Zdrnja.
The second flaw is located in the handling of the object.documentElement.outerHTML property, according to SANS, and it can allow an attacker to retrieve remote content in the context of the web page currently being viewed, according to the advisory.
Hackers can also use the flaw to retrieve data from other sites the victimized user has visited.
Researchers at SANS were able to replicate the second flaw even when using Mozilla’s Firefox browser, according to the advisory.
Secunia also released a PoC webpage for the second flaw.
Microsoft released its most recent batch of patches on July 13. Its next scheduled Patch Tuesday release is set for July 11.