Microsoft fixes 'critical' security bugs affecting all versions of Windows

Microsoft patched 48 separate vulnerabilities — the majority of which were the highest "critical" rating.

(Image: file photo)

Microsoft has patched two security vulnerabilities affecting all supported versions of Windows.

The software giant said Tuesday that an attacker could remotely exploit a "critical"-rated remote code execution vulnerability in how Windows Search handles objects in memory, allowing a full takeover of an affected computer.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights, said the company in an advisory. The attacker would have to send a specially crafted message to the Windows Search service. An attacker could then elevate privileges and "take control of the computer," the advisory said.

It added that an unauthenticated attacker in an enterprise setting could remotely trigger the flaw through an SMB connection, which Trend Micro researchers said in a blog post is "pretty close to wormable," referring to its spreadability.

Every supported version of Windows 7 and all versions of Windows 10, as well as Windows Server systems, are affected by the bug.

Although technical details or a proof-of-concept have not been made public and it is not known to be under active exploitation by an attacker, the company warned that there is a "more likely" chance of a future attack.

Another "critical" remote code execution flaw in the legacy JET database engine could allow an attacker to take full control of a computer.

An attacker would likely have to trick a user into opening a malicious database file from an email, the company said, as part of a spearphishing campaign.

The company said that the privately-disclosed bug was "unlikely" to be exploited.

The software giant released patches for 46 other vulnerabilities as part of its regularly scheduled Patch Tuesday set of security fixes. More than half of the vulnerabilities listed are rated "critical."

August's patches are available through Windows Update.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All