Microsoft fixes three "critical" flaws with Patch Tuesday release

Share this article:

Microsoft's monthly security update released Tuesday includes fixes for three, privately disclosed "critical" vulnerabilities in Internet Explorer (IE) and Remote Desktop Connection (RDC).

The flaws could allow remote code execution in IE and RDC if a user visits a malicious web page, according to the company's Patch Tuesday bulletin.

In total, the update contains nine patches to correct 14 vulnerabilities, which, in addition to remote code execution, could grant an attacker elevated privileges or carry out denial-of-service (DoS) attacks.

Ziv Mador, director of research at security and compliance firm Trustwave, said the IE (MS13-028) and the RDP bugs (MS13-029) are the most pressing to patch.

“It has been a few months since we have had [an] RDP (remote desktop protocol) vulnerability, but I was pretty sure we hadn't seen the last of them,” he wrote. “In this case, getting a user to visit a specially crafted web page could result in remote code execution. The actual flaw is located in the ActiveX control, mstscax.dll, which attempts to access an object in memory that has been deleted.”

Other vulnerabilities categorized as “important” by Microsoft included a flaw in SharePoint Server that could allow information disclosure to an attacker. As well, a patch for Active Directory was released, fixing a flaw that could enable an attacker to carry out a denial-of-service attack. . 

Meanwhile, Microsoft has announced that it would end support for Windows XP on April 8, 2014. It was originally released in August 2001.

“This means that any new vulnerabilities discovered in Windows XP after its end-of-life will not be addressed by new security updates by Microsoft," said a blog post from Tim Rains, director of product management at Microsoft Trustworthy Computing Group. "Moving forward, this will likely make it easier for attackers to successfully compromise Windows XP-based systems using exploits for unpatched vulnerabilities."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.