Microsoft plans six Patch Tuesday fixes, RCE bugs in 'critical' batch

Share this article:
Microsoft warns of attacks leveraging Word zero-day, releases temp fix
Remote code execution (RCE) flaws in Windows and IE will receive top priority this month.

Ahead of Tuesday's monthly security update, Microsoft has previewed six patches, which will address vulnerabilities in its Windows, Internet Explorer and Server software.

On Thursday, the tech giant released an advance notification for Patch Tuesday revealing two critical fixes for remote code execution (RCE) bugs in Windows and Internet Explorer (IE). In addition, three bulletins will address “important” elevation of privilege vulnerabilities in Windows, while a final update, ranked “moderate,” plugs a Microsoft Server hole allowing denial-of-service attacks.

The patches for Windows and IE RCE bugs were pegged top priority because they could allow RCE without user interaction – meaning saboteurs could easily spread malware to users as they engage in routine online activities like web browsing or checking email. Bulletins 1 and 2 are expected to bring a cumulative update for IE, affecting versions 6 through 11 of the web browser, as well as a security overhaul for Windows. 

“The second critical bulletin hits just about every version of Windows, from Vista and Server 2008 to 8.1, so it will be important to look into,” Russ Ernst, director of product management at Lumension, wrote in prepared emailed correspondence to SCMagazine.com.

Ernst noted, however, that the last scheduled patch from Microsoft, Bulletin 6, included a moderate fix – “a severity [rating] we haven't seen released for a while now [which] impacts Microsoft Service Bus for Windows Server,” he said.

“Microsoft Service Bus is a messaging service used by many third party web applications, as well as by Microsoft Azure, so even though this is rated as ‘moderate,' it is probable that this vulnerability would be used in conjunction with other vulnerabilities to target those applications,” Ernst explained.

Ross Barrett, senior manager of security engineering at Rapid7, also addressed the denial-of-service fix, calling it the “odd one out this month” among the patches.

“[Service Bus is] part of the Microsoft Web Platform package and is not installed by default with any OS version,” Barrett wrote in prepared comments sent via email correspondence. “That said, if you have this component, you will probably care to patch this before script kids start knocking over your site,” Barrett said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.

EU conducts massive cyberattack simulation on critical networks

Conducted by the European Union Agency for Network and Information Security, the simulation launched 2,000 attacks on the networks of various critical infrastructure organizations.