Microsoft plans six Patch Tuesday fixes, RCE bugs in 'critical' batch

Share this article:
Microsoft warns of attacks leveraging Word zero-day, releases temp fix
Remote code execution (RCE) flaws in Windows and IE will receive top priority this month.

Ahead of Tuesday's monthly security update, Microsoft has previewed six patches, which will address vulnerabilities in its Windows, Internet Explorer and Server software.

On Thursday, the tech giant released an advance notification for Patch Tuesday revealing two critical fixes for remote code execution (RCE) bugs in Windows and Internet Explorer (IE). In addition, three bulletins will address “important” elevation of privilege vulnerabilities in Windows, while a final update, ranked “moderate,” plugs a Microsoft Server hole allowing denial-of-service attacks.

The patches for Windows and IE RCE bugs were pegged top priority because they could allow RCE without user interaction – meaning saboteurs could easily spread malware to users as they engage in routine online activities like web browsing or checking email. Bulletins 1 and 2 are expected to bring a cumulative update for IE, affecting versions 6 through 11 of the web browser, as well as a security overhaul for Windows. 

“The second critical bulletin hits just about every version of Windows, from Vista and Server 2008 to 8.1, so it will be important to look into,” Russ Ernst, director of product management at Lumension, wrote in prepared emailed correspondence to SCMagazine.com.

Ernst noted, however, that the last scheduled patch from Microsoft, Bulletin 6, included a moderate fix – “a severity [rating] we haven't seen released for a while now [which] impacts Microsoft Service Bus for Windows Server,” he said.

“Microsoft Service Bus is a messaging service used by many third party web applications, as well as by Microsoft Azure, so even though this is rated as ‘moderate,' it is probable that this vulnerability would be used in conjunction with other vulnerabilities to target those applications,” Ernst explained.

Ross Barrett, senior manager of security engineering at Rapid7, also addressed the denial-of-service fix, calling it the “odd one out this month” among the patches.

“[Service Bus is] part of the Microsoft Web Platform package and is not installed by default with any OS version,” Barrett wrote in prepared comments sent via email correspondence. “That said, if you have this component, you will probably care to patch this before script kids start knocking over your site,” Barrett said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.