Microsoft set to deliver seven patches and address Windows zero-day

Share this article:
Microsoft set to deliver seven patches and address Windows zero-day
Microsoft set to deliver seven patches and address Windows zero-day

Microsoft on Tuesday plans to release seven patches as part of its monthly security update, including a fix for a zero-day kernel privilege escalation vulnerability discovered by a Google researcher.

Six of the seven patches earned the software giant's highest severity rating of "critical" and address remote-execution flaws in Windows, Internet Explorer, .NET Framework, Silverlight and GDI+, according to a notification. Among the fixes will be a patch for CVE-2013-3660.

The weakness was found by Tavis Ormandy, who in June posted a working exploit for the vulnerability. Ormandy, who butted heads with Microsoft three years ago after he published details about a Windows Help and Support Center flaw before the software giant had a fix in place, initially posted the latest bug to the Full Disclosure mailing list back in mid-May. 

"The vulnerability is caused due to an error within "win32k.sys" when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege," according to security company Secunia. "The vulnerability is confirmed on a fully patched Windows 7 x86 Professional (win32k.sys version 6.1.7601.18126) and reported on Windows 8. Other versions may also be affected."

At the time, Microsoft wasn't aware of any active exploits. But the company now said it's aware of "limited, targeted" attacks, a spokeswoman told SCMagazine.com.

Paul Henry, security and forensic analyst at vulnerability management firm Lumension, suggested in prepared comments last week that IT administrators will have their hands full this month dealing with the patches.

"This is one of the uglier releases we've seen from Microsoft this year," he said. "To say that all Microsoft products are affected and everything is affected critically is not an understatement. It's difficult to prioritize one or two because all the bulletins are significant this Patch Tuesday."

In addition to the critical fixes, Microsoft also will resolve an "important" issue in its Security Software line of products.

Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.