Microsoft to patch security vulnerabilities on Tuesday - including some rated as "critical"

Filed Under: Featured, Internet Explorer, Malware, Microsoft, Vulnerability, Windows

Patch Tuesday is bringing seven security fixes, with Microsoft deeming four of them "drop-everything-and-fix-this-now" critical.

The patches are for Windows, Internet Explorer and Office, as well as a sprinkling for Windows Server and Silverlight.

Microsoft says that four of the patches will address "critical" vulnerabilities.

Emergency. Image from Shutterstock

"Critical" is, of course, Microsoft's highest severity rating.

It covers self-propagating malware such as network worms or common-use scenarios in which code is executed without warning or prompt, such as when users open booby-trapped email or suffer drive-by attacks from maliciously rigged webpages.

In this patch go-round, Microsoft warns that critical flaws might allow for remote code execution on Windows, Internet Explorer, Silverlight and Office.

Another critical vulnerability would allow for elevation of privilege on Office and Server Software.

Flaws rated "important" could lead to elevation of user privileges or the disclosure of user data or personal information.

On Microsoft's vulnerability executive summary page, the company says that some of the critical patches relate to Mac users as well as Windows.

Hackers exploiting that vulnerability could gain the same user rights as the current user.

Of course, as soon as Tuesday comes, malicious hackers will be glued to their screens. They'll be checking out Microsoft's patches and will get to work on code to exploit computers whose owners or system administrators haven't patched, pronto.

As for the vulnerabilities that have been publicly disclosed, well, those attackers have that much more of a head-start.

This month, as with every Patch Tuesday, the longer you wait to apply the security patches, the more time attackers will have to finesse, and launch, their attacks.

So don't delay: patch as soon as possible.

On the surface of it, March doesn't look half as gnarly as the monster-sized 57 updates that Microsoft dumped on our doorsteps in February.

But numbers don't tell the whole story. For every corporation, every patch brings the possibility of conflicts.

So this week, tiptoe gently around the support people. Lord knows they'll be busy making sure the place stays afloat.


ECG pattern/a> image from Shutterstock.

, , , , ,

You might like

7 Responses to Microsoft to patch security vulnerabilities on Tuesday - including some rated as "critical"

  1. gregory f · 540 days ago

    Why do we have to wait for Patch Tuesday, if the fixes are critical why not release sooner ?

    • JimboC_Security · 540 days ago

      Hi Gregory f,

      Agreed, for most home users, this would work but the fixes are released at a predictable time each month to allow corporations to allocate time (plan ahead) so that they can patch as soon as possible.

      The above is a simple case whereas some corporations have rigorous change control processes while others must adhere to security baselines which can sometimes involve assessing the EAL (Evaluation Assurance Level) of affected systems before and after the patch(es) to ensure they still meet the required security baseline. If patches were released on an ad-hoc (as needed) basis a lot of duplication of effort may occur (the same process is repeated for each patch rather than a set of patches).

      Some further examples of how corporations manage patches are given in the following Sophos Techknow podcast:
      http://nakedsecurity.sophos.com/2012/07/18/sophos...

    • JimboC_Security · 540 days ago

      According to Microsoft, a severity rating of critical is:

      A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.

      Source: http://technet.microsoft.com/en-us/security/gg309...

      Patches are released immediately when a critical or important severity issue is being exploited by a specific threat (usually malware) and there is currently no official fix available. Such updates are made available outside of the regular once a month patch Tuesday and are known as Out of Band (OOB) updates. For example, such an update was made available for Internet Explorer in late January this year.

      I hope the above explanation is helpful. Thank you.

    • Guest · 540 days ago

      Its Microsoft's policy...perhaps partly due to internal patch testing before releasing them...but i do wish critical patches get released ASAP rather than on Tuesday.

  2. They're giving us a chance to back up our systems so when the patches fail and crash us, we can have a shot at recovering... I appreciate the consideration.

  3. akboss · 540 days ago

    As for home I will selectively patch as I do not use silverlight and wont, I have server software but not at home, and office is rarely used and never onlline.

    As for enterprises, that is a ton of work. Run each patch to see how it works with EVERYTHING, then run 2 of the patches and see if anything breaks, and on and on.

  4. Why should there be any fixes at all? Don't they use zero defects? Get it right the first time! The end user pays for the mistakes you make MS! Personally I don't care; I don't use IE or for that matter any other MS product.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.