Microsoft Fixes 6 Critical Flaws for Patch Tuesday

/ Source: TechNewsDaily

This month's Patch Tuesday, the day on which Microsoft releases security updates, will be a bit of a doozy for Windows users.

The company announced last week that six out of the seven software updates, scheduled to roll out tomorrow (July 9), are critical and affect a broad swath of Microsoft products.

Microsoft's classification of updates as "critical" means that without the patch, hackers could remotely run malicious code on an unsuspecting user's operating system, a process known as remote code execution (RCE)

While critical patches aren't uncommon, they don't always occur in such high numbers. Last month's Patch Tuesday saw only one critical security bulletin, for a vulnerability affecting all supported versions of Windows and Internet Explorer.

June's critical patches address vulnerabilities in Windows, .NET Framework, Silverlight, Internet Explorer and GDI+.

The patch that will likely affect the most users is bulletin 4, which addresses vulnerabilities in all supported versions of Internet Explorer, from Internet Explorer 6 (IE6) on Windows XP to IE10 on Windows 8 and the tablet-only Windows RT.

According to the British security firm Sophos' Naked Security blog, the most notable of this month's bulletins is the patch to fix the vulnerability in Windows Server Core 2012, a component usually spared from updates.

Server Core is a stripped-down version of Windows, making it a more difficult platform for hackers to attack. But July's Patch Tuesday will fix even this minimalist component, requiring users to perform a full reboot.

[ 13 Security and Privacy Tips for the Truly Paranoid ]

Other anticipated fixes include a patch for Microsoft Lync, an instant messaging component for Microsoft Office and several other updates for Windows.

Microsoft classified just one of this month's security bulletins as "important" rather than "critical" — a patch for the Windows Defender security software on Windows 7.

Without the Defender patch, hackers can gain authorized permissions to a user's operating systems beyond what was initially granted. Such attacks, known as elevations of privilege (EoPs) must be combined with RCE to be truly affective, hence their non-critical classification.

July's Patch Tuesday will also address a zero-day vulnerability — one that was already being exploited upon disclosure — in Microsoft's kernel code. The vulnerability was discovered by Google security engineer Tavis Ormandy.

Ormandy published the details of the vulnerability, CVE-2013-3660, back in May, eventually writing software to exploit the flaw early in June.

Follow Elizabeth Palermo on Twitter  @techEpalermo or on Google+. Follow us @TechNewsDaily, on Facebook or on  Google+.