July's Patch Tuesday to fix six critical Windows, Office, IE security vulnerabilities

July's Patch Tuesday to fix six critical Windows, Office, IE security vulnerabilities

Summary: Prepare for a bumpy ride for July's roundup of Patch Tuesday updates, Microsoft warns, with critical flaws for almost every version of Windows running every bit of hardware.

SHARE:
TOPICS: Security
70
eie

Microsoft's monthly release of security updates on deck for Tuesday, commonly known simply as Patch Tuesday, will include six "critical" updates that will require every version of Windows being patched by administrators.

Microsoft's advanced security bulletin also noted vulnerabilities in Visual Studio, Microsoft Office, Microsoft Lync, .NET Framework, and Silverlight. Internet Explorer 6 and above also requires patching on machines running Windows XP through to Windows RT.

The unusually high number of "critical" monthly updates in July will see Microsoft's figure rise to 22, a faster rate than 2012, which ended the calendar year with 34 critical flaws in total.

Bulletin 1 through to 6 all deal with remote code execution, which can give hackers and malware writers access to machines to install malware without user prompts or permission. 

A zero-day flaw, spotted by Google researcher Tavis Ormandy, which identified a problem in the kernel of Windows 2000 and above that affects the user privileges of the logged-on user, will also be fixed. He fanned the flames by making the discovery public and calling Microsoft "often very difficult to work with," and claiming the Redmond, Wash.-based software giant treated security researchers with "great hostility."

Though missed by Microsoft during June's security update release, Bulletin 4 will fix the kernel flaw.

The remining one bulletin rated as "important" allows hackers to elevate their privileges by exploiting Windows Defender running on Windows 7, or its server counterpart, Windows Server 2008 R2.

Details of the flaws are withheld by Microsoft until the patches are released to prevent abuse by third parties. 

Microsoft is also expected to issue a number of non-security related fixes to its Surface Pro and Surface RT tablets, in line with previous months.

The security fixes will be released on July 9 through the usual update channels, such as Windows and Microsoft Update.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

70 comments
Log in or register to join the discussion
  • In other news

    Today Canonical patched Ubuntu Linux for 1 Raptor vulnerability
    4th July 2013 for 3 kernel vulnerabilities
    3rd July 2013 for a SSL vulnerability, a Firefox regression and other vulnerabilitues, in total 4 vulns.
    2nd July 2013 for 2 vulnerabilities (in libvirt and curl)
    27th June 2013 for for 8 vulnerabilities (Subversion and Ubuntu upgrader)
    26th June 2013 for 26-28 vulnerabilities (Thunderbird and Firefox)
    20th June 2013 for 3 vulnerabilities
    19th June 2013 for 2 OpenStack vulns.
    18th June 2013 for 3 vulns (libraw, libKDcraw and Puppet)
    14th June 2013 for 18 kernel (OMAP4) vulnerabilities
    13th June 2013 for 3 vulns (OpenStack and DBus)
    12th June 2013 for 2 vulns
    11th June 2013 for 1 PHP vuln
    10th June 2013 for 1 xserver vuln
    5th June 2013 for 27 vulns (libxi, xserver and more)

    So in the course of 1 month some 104 vulns patched. Just not rolled up in one patch release.
    honeymonster
    • how many of them are remote code execution?

      How many are applicable to ALL GNU Linux (or all Ubuntu desktops?, say I don't have PHP installed on my Debian and LMDE, likewise omp4 applies to some arm archs)

      On the other hand, comparing Ubuntu (or any other distro) code base with Microsoft is like comparing an elephant and a mouse. A more fair thing would be comparing it to all software available for Windows, not just MS stuff.
      eulampius
      • 17 remote execution bugs in one month

        17 (at least) Remote code execution (using the same standard as Microsoft security bulletins):
        CVE-2012-0037
        CVE-2013-2145 (perl)
        CVE-2013-2174 (curl)
        CVE-2013-1682, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690, CVE-2013-1694, (CVE-2013-1697): Thunderbird & Firefox
        CVE-2013-1683, CVE-2013-1688; Firefox
        CVE-2013-1872, CVE-2013-1993: Mesa
        CVE-2012-4406: OpenStack Swift
        CVE-2013-2126: libRaw (image processing)

        (at least) 3 serious privilege escalation to root:
        CVE-2013-2852
        CVE-2013-2850
        CVE-2013-1979

        Mind you, remote code execution + escalation to root = total pwnage.

        Bonus:
        CVE-2013-1698 (giving remote attacker access to microphone and camera). Creepy stuff
        honeymonster
        • okay, let's see here

          --CVE-2012-0037 d "allows remote attackers to read arbitrary files via a crafted XML", not RCE
          --CVE-2013-2145 is a perl's Module::Signature vuln, that might let an author of another module being installed run arbitrary code from that package, not that a big deal, you install this module an WILL run the code from it, on the other hand most perl module are installed via package manager of the system
          -- CVE-2013-2174 "libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption", not REC

          The Thunderbird and FF's vulnerabilities are DOS ones with possibility to execute remote code
          --etc
          BTW, once again all or most of these vulnerabilities also apply to Windows OS, since you're talking about cross-platform software. Since you blame Red Hat and Debian for a Perl module vulnerability, let's kick some MS fat asses for it too ;) When will we see a Linux/BSD virus similar to stuxnet ?

          yeah and your "remote code execution + escalation to root" looks very nice but very unlikely, never happen yet, never heard of remote code execution exploits on Linux or BSD yet. One reason they get detected by many eyes and fixed long before an exploit is ready. Even on Android (based on Linux kernel) celebrated malware is just plain trojan stuff installed by gullible, stupid and lazy users.
          eulampius
        • Here we go with the CVE's again.

          Do you have any experience in software?

          ZDNET is notorious for blaming attacks on Firefox, Chrome, Open Office, etc.

          In truth, these applications support Windows and sister applications support Linux.

          Any application that runs on Windows is at a disadvantage. The three main reasons are:

          1. Windows is closed source, developers can't see or correct Windows security issues.

          2. Windows security is nonsensical and infinitely failure prone. Even their security design is protected by the "proprietary" closed source philosophy.

          3. Applications cannot account for and protect against all Windows security failures.

          When an application allows a Windows vulnerability to surface, the application is wrongly blamed and adjustments are made to the application. This correction, documented as a CVE is only for the Windows OS. As software management goes, the sister versions are "tidied up" with these changes to retain uniformity. But, in cases I've investigated, the "threat" involved would not impact Linux security at all. So that deflates your CVE argument.

          If you ever worked for a software company, you would understand that's how documentation and versions are handled. Because you see a CVE for a problem does not mean it affects Linux security, it is referring to changes to the program that runs on Linux. You need authentication to install on Linux, not on Windows.
          Joe.Smetona
          • Tell me how to get my Linux Mint 15 Cinnamon infected.

            What website should I visit, what should I click on? Really, if you are so dedicated, install Linux Mint and try to get yourself infected. That would be newsworthy.
            Joe.Smetona
          • Dude

            Even if you walled it off, it's still a flaw in Firefox or OpenOffice or Chrome. I get it, you really, real, really, hate closed source to the loin that you're basically a Stallman-lite, but your argument is bad.
            Michael Alan Goff
          • walled garden -shmalled garden

            You don't need Stallman or Torvalds to remember stuxnet, conficker, loveletter and cpu time given to constantly running AV scanners. That fear to click on "unknown" web links, visit an "infected" web page, insert a removable media, open an email or a "bad" document.
            This represents closed source to me, what does it represent to you?
            eulampius
          • I'm a day to day Linux user for over 12 years.

            Your comment contains words or phrases associated with spam and will not appear on the site until it has been checked by a moderator.
            Joe.Smetona
          • Your comment contains words or phrases associated with spam and will not ap

            Your comment contains words or phrases associated with spam and will not appear on the site until it has been checked by a moderator.
            Joe.Smetona
          • Your comment contains words or phrases associated with spam and will not ap

            Your comment contains words or phrases associated with spam and will not appear on the site until it has been checked by a moderator.
            Joe.Smetona
          • Your comment contains words or phrases associated with spam and will not ap

            Your comment contains words or phrases associated with spam and will not appear on the site until it has been checked by a moderator.
            Joe.Smetona
          • Your comment contains words or phrases associated with spam and will not ap

            Your comment contains words or phrases associated with spam and will not appear on the site until it has been checked by a moderator.
            Joe.Smetona
          • Your comment contains words or phrases associated with spam and will not ap

            Your comment contains words or phrases associated with spam and will not appear on the site until it has been checked by a moderator.
            Joe.Smetona
          • Your comment contains words or phrases associated with spam and will not ap

            Your comment contains words or phrases associated with spam and will not appear on the site until it has been checked by a moderator.
            Joe.Smetona
          • Your comment contains words or phrases associated with spam and will not ap

            Your comment contains words or phrases associated with spam and will not appear on the site until it has been checked by a moderator.
            Joe.Smetona
          • GETTHE MESSAGE ZDNET !!!!!!!!!!!!!

            Your comment contains words or phrases associated with spam and will not appear on the site until it has been checked by a moderator.
            Joe.Smetona
          • When you get the filtering message, just post it a couple dozens of times.

            Maybe ZDNET will get the message.
            Joe.Smetona
          • Malware has left my universe for 12 years.

            It's like worrying about seeing a crank on a Ford Model T. There does not have to be any external protection, and that is big news. Imagine not having to deal with worrying about it at all.
            Joe.Smetona
          • In 12 years of using Firefox and Chrome since their inception....

            Don't you think I would have had at least one infection if it was not OS dependent?

            Really, try to get your Linux Mint or Ubuntu infected and post how you did it.

            You can't do it. End of story.
            Joe.Smetona