Microsoft on Tuesday plans to release seven patches as part of its monthly security update, including a fix for a zero-day kernel privilege escalation vulnerability discovered by a Google researcher.
Six of the seven patches earned the software giant's highest severity rating of "critical" and address remote-execution flaws in Windows, Internet Explorer, .NET Framework, Silverlight and GDI+, according to a notification. Among the fixes will be a patch for CVE-2013-3660.
The weakness was found by Tavis Ormandy, who in June posted a working exploit for the vulnerability. Ormandy, who butted heads with Microsoft three years ago after he published details about a Windows Help and Support Center flaw before the software giant had a fix in place, initially posted the latest bug to the Full Disclosure mailing list back in mid-May.
"The vulnerability is caused due to an error within "win32k.sys" when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege," according to security company Secunia. "The vulnerability is confirmed on a fully patched Windows 7 x86 Professional (win32k.sys version 6.1.7601.18126) and reported on Windows 8. Other versions may also be affected."
At the time, Microsoft wasn't aware of any active exploits. But the company now said it's aware of "limited, targeted" attacks, a spokeswoman told SCMagazine.com.
Paul Henry, security and forensic analyst at vulnerability management firm Lumension, suggested in prepared comments last week that IT administrators will have their hands full this month dealing with the patches.
"This is one of the uglier releases we've seen from Microsoft this year," he said. "To say that all Microsoft products are affected and everything is affected critically is not an understatement. It's difficult to prioritize one or two because all the bulletins are significant this Patch Tuesday."
In addition to the critical fixes, Microsoft also will resolve an "important" issue in its Security Software line of products.