Microsoft set to deliver seven patches and address Windows zero-day

Share this article:
Microsoft set to deliver seven patches and address Windows zero-day
Microsoft set to deliver seven patches and address Windows zero-day

Microsoft on Tuesday plans to release seven patches as part of its monthly security update, including a fix for a zero-day kernel privilege escalation vulnerability discovered by a Google researcher.

Six of the seven patches earned the software giant's highest severity rating of "critical" and address remote-execution flaws in Windows, Internet Explorer, .NET Framework, Silverlight and GDI+, according to a notification. Among the fixes will be a patch for CVE-2013-3660.

The weakness was found by Tavis Ormandy, who in June posted a working exploit for the vulnerability. Ormandy, who butted heads with Microsoft three years ago after he published details about a Windows Help and Support Center flaw before the software giant had a fix in place, initially posted the latest bug to the Full Disclosure mailing list back in mid-May. 

"The vulnerability is caused due to an error within "win32k.sys" when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege," according to security company Secunia. "The vulnerability is confirmed on a fully patched Windows 7 x86 Professional (win32k.sys version 6.1.7601.18126) and reported on Windows 8. Other versions may also be affected."

At the time, Microsoft wasn't aware of any active exploits. But the company now said it's aware of "limited, targeted" attacks, a spokeswoman told SCMagazine.com.

Paul Henry, security and forensic analyst at vulnerability management firm Lumension, suggested in prepared comments last week that IT administrators will have their hands full this month dealing with the patches.

"This is one of the uglier releases we've seen from Microsoft this year," he said. "To say that all Microsoft products are affected and everything is affected critically is not an understatement. It's difficult to prioritize one or two because all the bulletins are significant this Patch Tuesday."

In addition to the critical fixes, Microsoft also will resolve an "important" issue in its Security Software line of products.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.