Microsoft fixes two critical Windows, IE security flaws for April's Patch Tuesday

Summary:Get a strong pot of coffee on, April's Patch Tuesday has arrived. In the latest round of security updates, Microsoft has released patches for nine security vulnerabilities, two of them considered 'critical'.

Microsoft has released two critical security updates for Windows and Internet Explorer as part of its latest round of Patch Tuesday updates

ie9

Included in the patches are seven important updates for Office, SharePoint and Windows Server products, which are hitting the usual update channels today.

The first critical bulletin affects versions of Internet Explorer 6 and above on Windows XP, Windows Vista, Windows 7. It also affects Internet Explorer 10 on Windows 8 and Windows RT-based tablets.

It includes two separate flaws, one that allows remote code execution — such as a malware injection — if an affected user views a specially crafted Web site. This would allow the attacker to access an infected machine at the same user rights level. 

Because the attack vector is higher on more Windows-based machines, the first critical flaw affecting Internet Explorer should be first on the agenda.

The second critical bulletin affects the Remote Desktop Client that could allow another such malware injection, which would give the attacker the same user rights as the logged-in user, just as the first flaw.

Both patches fixing the two critical vulnerabilities require the machine to be restarted.

Other vulnerabilities rated as "important" could allow data and information disclosure, or an elevation of privileges on affected machines. 

Five of the other seven flaws relate to Windows, as well as software running on the platform. 

MS13-036 fixes three privately disclosed flaws and one publicly disclosed flaw in a Windows kernel-mode driver that allows an elevation of privileges, but only affects logged-in users. Another flaw in the Windows kernel, MS13-031, could also allow an elevation of privileges if a user is logged in.

Meanwhile MS13-033 patches a flaw in the Windows Client and Server Run-time Subsystem (CSRSS). Affected software versions include all versions of Windows Server 2003 and 2008, and Windows XP and Vista.

MS13-030 is an important patch that affects SharePoint that could allow unauthorized disclosure of information. MS13-035 fixes a vulnerability in Office that allows an elevation of user privileges from "user" to "administrator" if an attacker sends a malware-ridden file to the user.

Also included with today's patches  include a bevy of patches  for the Surface RT tablet. ZDNet's Mary Jo Foley has more. 

This edition of Patch Tuesday comes at a time when Microsoft is warning that Windows XP support is coming to an end in a year's time. The software giant will  no longer provide security updates  for the ageing 12-year-old operating system from April 8, 2014.

All patches are available through the usual update channels, including Windows and Microsoft Update.

Topics: Security, Microsoft

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.