Microsoft's monthly security update released Tuesday includes fixes for three, privately disclosed "critical" vulnerabilities in Internet Explorer (IE) and Remote Desktop Connection (RDC).
The flaws could allow remote code execution in IE and RDC if a user visits a malicious web page, according to the company's Patch Tuesday bulletin.
In total, the update contains nine patches to correct 14 vulnerabilities, which, in addition to remote code execution, could grant an attacker elevated privileges or carry out denial-of-service (DoS) attacks.
Ziv Mador, director of research at security and compliance firm Trustwave, said the IE (MS13-028) and the RDP bugs (MS13-029) are the most pressing to patch.
“It has been a few months since we have had [an] RDP (remote desktop protocol) vulnerability, but I was pretty sure we hadn't seen the last of them,” he wrote. “In this case, getting a user to visit a specially crafted web page could result in remote code execution. The actual flaw is located in the ActiveX control, mstscax.dll, which attempts to access an object in memory that has been deleted.”
Other vulnerabilities categorized as “important” by Microsoft included a flaw in SharePoint Server that could allow information disclosure to an attacker. As well, a patch for Active Directory was released, fixing a flaw that could enable an attacker to carry out a denial-of-service attack. .
Meanwhile, Microsoft has announced that it would end support for Windows XP on April 8, 2014. It was originally released in August 2001.
“This means that any new vulnerabilities discovered in Windows XP after its end-of-life will not be addressed by new security updates by Microsoft," said a blog post from Tim Rains, director of product management at Microsoft Trustworthy Computing Group. "Moving forward, this will likely make it easier for attackers to successfully compromise Windows XP-based systems using exploits for unpatched vulnerabilities."
