Microsoft set to deliver seven patches and address Windows zero-day

Share this article:
Microsoft set to deliver seven patches and address Windows zero-day
Microsoft set to deliver seven patches and address Windows zero-day

Microsoft on Tuesday plans to release seven patches as part of its monthly security update, including a fix for a zero-day kernel privilege escalation vulnerability discovered by a Google researcher.

Six of the seven patches earned the software giant's highest severity rating of "critical" and address remote-execution flaws in Windows, Internet Explorer, .NET Framework, Silverlight and GDI+, according to a notification. Among the fixes will be a patch for CVE-2013-3660.

The weakness was found by Tavis Ormandy, who in June posted a working exploit for the vulnerability. Ormandy, who butted heads with Microsoft three years ago after he published details about a Windows Help and Support Center flaw before the software giant had a fix in place, initially posted the latest bug to the Full Disclosure mailing list back in mid-May. 

"The vulnerability is caused due to an error within "win32k.sys" when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege," according to security company Secunia. "The vulnerability is confirmed on a fully patched Windows 7 x86 Professional (win32k.sys version 6.1.7601.18126) and reported on Windows 8. Other versions may also be affected."

At the time, Microsoft wasn't aware of any active exploits. But the company now said it's aware of "limited, targeted" attacks, a spokeswoman told SCMagazine.com.

Paul Henry, security and forensic analyst at vulnerability management firm Lumension, suggested in prepared comments last week that IT administrators will have their hands full this month dealing with the patches.

"This is one of the uglier releases we've seen from Microsoft this year," he said. "To say that all Microsoft products are affected and everything is affected critically is not an understatement. It's difficult to prioritize one or two because all the bulletins are significant this Patch Tuesday."

In addition to the critical fixes, Microsoft also will resolve an "important" issue in its Security Software line of products.

Share this article:

Sign up to our newsletters

More in News

Hackers deliver Kelihos to users sympathetic to Russian 'cause'

Hackers deliver Kelihos to users sympathetic to Russian ...

Playing off the Ukraine conflict, a Kelihos campaign promises victims software to help the Russian cause but delivers malware instead.

Study shows how attackers make use of websites existing for less than 24 hours

Study shows how attackers make use of websites ...

Looking at the top 50 of parent domains that produced websites existing for less than 24 hours, researchers with Blue Coat Security Labs observed that 22 percent were malicious.

Phishing campaign lures victims with models' photos

Two nude models' photos reeled in unsuspecting victims who handed over their Facebook logins to gain access to adult material.