Microsoft has issued a security update that fixes 19 critical vulnerabilities in Internet Explorer, including a serious flaw that could be exploited remotely by an attacker in drive-by attacks.
The software giant issued five bulletins, one critical, addressing security issues across its product line. The company's June 2013 Patch Tuesday includes fixes to Microsoft Office, the Windows Kernel and a Print Spooler coding error.
Microsoft said the Internet Explorer update affects all versions of the browser. It is rated moderate for Internet Explorer running on Windows servers. The issues include a script debug flaw and 18 memory corruption errors. Microsoft said an attacker could set up a malicious website to exploit the flaw and then lure users to visit the site. A successful attempt could enable an attacker to gain complete control of a victim's PC.
The June round of security updates was a relatively light month for patching administrators. In his analysis of the update, Amol Sarwate, director of vulnerability labs at Qualys, said security pros should watch the IE issues closely. He said the light patching month should be no problem for administrators. He urged patching admins to quickly issue the update fixing the coding errors.
Other security updates were rated important. Microsoft also patched a flaw in the Windows Kernel that could result in information disclosure. The issue stems from the way the Windows kernel handles certain page fault system calls. Another kernel error could cause a denial-of-service condition.
An update to Microsoft Office repairs a flaw that could allow an attacker to gain access to system files and gain the same rights as the current user on the corporate network. The attacker would need to send a malicious email message and get the victim to open it in Outlook while using Microsoft Word as the email reader. The issue also is rated important and affects supported editions of Microsoft Office 2003 and Microsoft Office for Mac 2011.
In addition, Microsoft issued a security advisory, updating cryptography and digital certificate handling in Windows. The update impacts all versions of Windows, Microsoft said. The update has been part of a series of software improvements that enables the software maker to have more control over digital certificates that validate Windows software.
"Customer protection is an important facet of everything we do. We encourage you to apply these security updates if you do not have Automatic Updates enabled, and visit the Microsoft Security Response Center blog for prioritization guidance," said Dustin Childs, group manager, Microsoft Trustworthy Computing, in a statement issued today to CRN.
In May, Microsoft fixed 33 flaws across its product line, including a dangerous flaw in Internet Explorer 8.
PUBLISHED ON JUNE 11, 2013