Microsoft fixes critical Windows, IE flaws for Patch Tuesday

Microsoft fixes critical Windows, IE flaws for Patch Tuesday

Summary: Updates, ahoy. Get a strong pot of coffee on the go, Patch Tuesday is on deck for another month. Microsoft has released patches for seven security vulnerabilities, four of them considered 'critical'.

TOPICS: Security

Microsoft has released four critical security updates for Windows and Internet Explorer, along with a bevy of other products, in order to protect against at least 19 vulnerabilities identified in its software.

(Image: Screenshot by Zack Whittaker/ZDNet)

On deck this month, there are four "critical" vulnerabilities that affect Windows, Internet Explorer, Office, and Windows Server, including one for Silverlight that affects both Windows and Mac machines.

Critical updates are reserved for security flaws that could compromise the security of a device or system data, while important updates are reserved for those that could lead to an increased scope of attack by malware or hackers, such as an elevation of user privileges to allow hackers to access system files under administrative reach.

First and foremost, Microsoft has fixed a nine vulnerabilities in MS13-021 — eight privately disclosed flaws and one that was disclosed publicly — in which the web browser was at risk of being attacked by a flaw being actively exploited in the wild for around one month.

The most severe Internet Explorer flaw affected all versions of Windows XP (Service Pack 3) and above, including Vista, Windows 7, and Windows 8 — including tablets running Windows RT — running Internet Explorer 6 and above. The flaw could have allowed a hacker to access the vulnerable system with the same user rights. Those running as "users" rather than "administrators" were less at risk from having system files or documents affected.

Other critical vulnerabilities include MS13-022, which patches three flaws in Silverlight that could allow a hacker to gain access and take over a Windows-based or OS X-based machine.

Meanwhile, MS13-023 affects Office, specifically Visio, that could allow remote code execution if a malware-ridden Visio file was opened on a vulnerable machine. MS13-024 affects Windows Server-based systems running SharePoint, in which an attacker could plant malicious code in a search query, commonly known as an XSS vulnerability. This would have given hackers full administrator rights over the affected system.

The other vulnerabilities rated as "important" could allow data and information disclosure, or an elevation of privileges on affected machines. These affect SharePoint, OneNote, Outlook for Mac, and kernel-mode drivers in Windows-based machines.

On Microsoft's Security blog, Dustin Childs explained that the software giant has taken a "recent shift" in its approach towards application updates on the Windows Store, such as those that are available for Windows 8 and Windows RT-based machines.

"In the end, our decision provides customers easy access to needed security updates in a timely manner without sacrificing transparency."

In a separate post, Microsoft's Security Response Center's Mike Reavey said that the company will "deliver high-quality security updates for Windows Store apps as they become available. Providing security updates to Windows Store apps more frequently will allow us to add new functionality, fix issues and improve security".

"To ensure transparency, we will document all security updates for Windows Store apps in a security advisory, which we will revise with each new security update release. The security update process itself will be identical to that of any other Windows Store app update — customers will simply click on the store tile and select the update," he noted.

Today's Patch Tuesday updates are available on the usual channels, such as Windows and Microsoft Update, or through Windows Server Update Services.

The next round of monthly updates will arrive on April 9.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • more details

    I'd like to see the difference in threat level for admin vs non-admin users on all malware reporting. It takes a lot of evidence to convince users to default to running as a standard user.
    • I run all my user accounts on Windows... Standard user and have a maintenance account that I use for updates and software installs when necessary. Convincing users to do this should be as simple as asking "Do you want your computer to be as secure as possible?"
    • It's easy: Any user I support must run as a standard user...

      ...unless there is a technical reason they cannot. If they elect to run as an administrative user then they receive no further support from me.
      • Amazingly

        Amazingly my PC at work has all the users sets as admins, and when I asked to change my account to a standard user they refused....not surprisingly, it is not uncommon for computers at my job to get infected...
        Doctor Demento
  • I'' stick with superior software, no thank's Windows

    The fact that a popular Operating System would need so much constant patching, and the faithful computer users just accept this bad situation liked jade sheep shows a disconnect of Windows users with the realities of exceptional computing in 2013.

    All the lame excuses and convoluted reasoning in the world - of Windows dominant market share and anecdotal stories of personal satisfaction won't compensate for fact that only Windows needs the plethora of anti-everything utility software that still does not work properly.

    I'll stick with Mac OSX and Gentoo Linux for far superior reliability, security and performance.
    • This is what Apple users actually believe

      Hahaha, oh wow.
    • I guess you didn't get the info on the biggest virus

      threat ever that affected 600,000 Apple computers. The thing is it's a know fact that Steve Jobs vowed that Apple devices would NEVER EVER run Flash. But the virus asked Apple users to install Flash.
  • IE10 for Win7 via MS Update now

    MS is offering IE10 for Win7 via MS Update now as an "Important" update, but it is not selected by default.
  • IE 10 for Windows 7 is NOT affected

    Note that IE 10 for Windows 7 is NOT affected.
    • re: Note that IE 10 for Windows 7 is NOT affected.

      But IE 10 on Win 8 fell at CanSecWest

      • Also note..

        Fail: Chrome, Firefox, and IE all crack during hacking competition
        • But, by all means...

          Continue to tell 'your' story. It is comedic for those of us that follow the entirety, not just your perspective.
  • Could you explain this sentence a bit better?

    "First and foremost, Microsoft has fixed a nine vulnerabilities in MS13-021 ..."

    First off, that is not proper English. Is that nine vulnerabilities addressed in one update? Second, if I only have one OS, is that not just one vulnerability addressed, thus dividing your assertion by 9? I would hope you hold to some credible journalistic standards to not use this number as some form of multiplier for one vulnerability.
  • And the beat goes on !!!!!

    Sorry people, but some of these post are the same old thing - NO MATTER WHAT THE SUBJECT!!! Relax - Read the whole article and then comment.... "Get it right the first time" So you (yea you) have never made a mistake before - got everything right the first time??!! Wow -I'm 79 years young (and retired 3 times) and I never met anyone like YOU!!! I make mistakes and over the years of very, very successful careers - I have made mistakes - just like today - responding to a bunch of garbage comments about the article!!!! Nuff said...
  • By the way

    I am always late to post a comment because I read the whole article and each comment to the article!!!!!!!!!!!!!!
  • I Love It

    Im retired so I look forward to patching my system every month, its a great Hobby !

    i get to email all my other retired buddies and we party while updating all the time.

    I know ehhh Get a Life ! LOL
  • 12 years

    Firefox and Eset never a problem.
  • Never and I guarantee it

    I like Kuby's post, will MS ever get a Pre-Release Qual right... From 20 years of working with them I'd say no, as they don't intend too. They are very clever in knowing that everybody is reliant on them with few other options and seem happy to develop via the issues faces by first adopters and the automatic information transmitted back from these.

    Another good example is Hosted Exchange, where we are now waiting to launch 2013 because MS are (we hope soon) launching what is essentially a service pack but not? so users can be migrated between 2010 and 2013 over the same domain. You would have thought something such as a migration path was the first thing on the drawing board?
    Phil - Cloud4 Computers
  • Enough anecdotal personal Windows sales pitches

    If IBM, Oracle Corp, Netflix, Cisco, the European Union, Juniper Networks, all the Stock Exchanges have stated publicly that they use either RedHat Linux or FreeBSD as their primary OS over Microsoft Windows, even to latest 2012 server release, because Redmond's OS can't sustain the reliability or does not have the required levels of security, why would anyone in their right minds listen to all these Microsoft minions about "how great Windows is" in their individual anecdotal stories.

    Three perfect examples:
    Netflix chose FreeBSD as best OS infrastructure for their Network appliances to stream "millions" of movies daily to customers through Internet Service Providers (ISP). While Linux was just as robust, it's networking stack was not quite as fast or as flexible.
    Even after many months of testing, Windows totally failed evaluations with poor reliability and unacceptable security, and particularly terrible scalability.

    Windows Security Essentials - an integral part of Windows 7/Windows 8 recently "twice" failed critical security tests in a European testing lab.

    Wiindows Server 2012 was seccessfully hacked at the CanSecWest security technology event recently in British Columbia, Canada. Several "participating" security professionals posited that the problem in OS may not be fixable.

    Address these "real world" issues of Windows reliability and security, as opposed to publishing endless personal Windows promotional stories that have no industry technical evaluations or test cases to support your experiences.

    Maybe you windows guys/gals know more than almost 90% of all the top technology Universities, companies and organization in the world!!!
  • I agree with the Linux comments.

    Every time I boot up my Chromebook, I never worry about if it is up to date or not. Usually it makes sure it is up to date when it boots, and if it tells me there's an update available after it has booted up, all it takes is the click of a link for a reboot (their bragging record is accurate, too!) and my system is up to date, and I am back to work with minimal inconvenience, which, is something I have never been able to say about Windows since 3.1x. Does anyone know if 8 still uses the registry method of keeping track of software and system settings?
    Richard Estes