Microsoft To Fix Critical Errors, Windows Zero-Day Flaw


Microsoft will issue a fix to a critical Windows vulnerability in its July Patch Tuesday round of updates that includes seven bulletins, including six critical, correcting coding errors throughout its software products.

In its Advance Notification issued July 4, the software giant said the updates impact all supported versions of Windows as well as Internet Explorer, Silverlight and the .NET Framework.

A kernel-mode driver vulnerability was publicly disclosed in May by Google security researcher Travis Ormandy on the Full Disclosure mailing list. A proof-of-concept exploit targeting the coding error was tested against systems running Windows 7 and Windows 8. The flaw cannot be exploited remotely and Microsoft has not detected any ongoing attacks targeting the coding error.

[Related: Top 10 Malware Threats To Microsoft PCs]

"This is one of the uglier releases we've seen from Microsoft this year," said Paul Henry, security and forensic analyst at vulnerability management vendor Lumension. "To say that all Microsoft products are affected and everything is affected critically is not an understatement. It’s difficult to prioritize one or two because all the bulletins are significant this Patch Tuesday."

The six critical bulletins are remote code execution vulnerabilities, giving attackers the ability to target flaws without needing physical access to the PC. Several bulletins impact Windows and affect the company's latest versions of its operating systems, Windows 8, and RT and the latest Windows Server platform.

Internet Explorer updates probably will be the most important bulletin to implement, according to Wolfgang Kandek, chief technology officer of vulnerability management at vendor Qualys. In his analysis of the Advance Notification, Kandek said the security update impacts all versions of the browser. A bulletin that addresses an error affecting Microsoft Windows, Office and Lync also deserves attention because it could give attackers the ability to attack Windows remotely, he wrote.

The software maker also is issuing an update rated important to Windows Defender, its antimalware software. The security update fixes a flaw that can be exploited to elevate privileges on a victim's PC.

The security update is scheduled to be released Tuesday at about 1 p.m. ET.

July marks the first round of updates for Microsoft following the unveiling of its new bug bounty program. The company will reward researchers that find serious vulnerabilities in the latest versions of its products.

In June, Microsoft fixed nearly 20 Internet Explorer vulnerabilities. The update also included fixes to Microsoft Office, the Windows Kernel and a Print Spooler coding error.

PUBLISHED JULY 8, 2013