Microsoft fixes critical Windows, Office, IE security flaws

Microsoft fixes critical Windows, Office, IE security flaws

Summary: Microsoft today released five critical patches that fix more than a dozen security vulnerabilities in all versions of Internet Explorer 6 and above, Windows, and Office.

TOPICS: Security
Internet Explorer 9, one of the affected browser versions fixed in February's Patch Tuesday, under a previously discovered malware attack. (Credit: Rapid7)

Microsoft has released its latest round security fixes in a massive Patch Tuesday update, with fixes for 57 known security vulnerabilities in total. 

In 12 bulletins, five of the flaws are rated "critical," in which hackers and malware writers could remotely execute code on vulnerable machines, opening the doors up to malware attacks. 

Two of the bulletins focus on all versions of Internet Explorer 6 and above—including IE7, IE8, IE9, and even IE10, which is only available for Windows 8 and Windows RT-powered devices, such as the Surface tablet.

For Windows 8 and Windows RT users, ZDNet's Mary Jo Foley explains that amid the security patches, a number of issues relating to Wi-Fi and "Connected Standby" have also been fixed.

In one bulletin, MS13-009, 13 flaws in total are patched, with one critical vulnerabilities fixed, which could have allowed hackers to gain access to a machine after visitors access a page laden with malware. Often the user doesn't even know that malware has been installed, but it could allow the hacker to access files and documents, and hijack the machine.

The second bulletin relating to Internet Explorer, MS13-010, fixes a vulnerability in an ActiveX library. Also rated critical, the flaw is being actively exploited in the wild, Microsoft said last week. The vulnerability lies in the Vector Markup Language (VML) library, which can be exploited if an unsuspecting user visits a malware-laden Web page.

Once versions of Internet Explorer are patched, they should become safe to use again—for now.

Another critical vulnerabilities found in Exchange Server, which could allow remote code execution through its WebReady document viewing service; another in Microsoft Office that could be exploited by a specially crafted media file; and one more fixes a critical bug in Windows Object Linking and Embedding (OLE), which could allow a hacker to access a machine with the same user permission rights.

The rest of the vulnerabilities are rated "important," but could also allow denial-of-service attacks and the elevation of user privileges. 

Patch Tuesday fixes are available through the usual update channels, such as Windows Update, Microsoft Update, and Windows Server Update Services (WSUS).

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • As Rosaanna Dannaa would say If it not one thing its another

    The swiss cheese of operating systems is at it BEST again
    Over and Out
    • swiss cheese?

      Your talking about Linux or OS-X? Lets see who leads the "Vulnerabilities Marathon":
      • The same report can be changed too

        Top 50 Vendors By Total Number Of "Distinct" Vulnerabilities
      • Hmmm....

        Looking at that chart, I find an entry for "Windows 2003 Server" with 401 all time patches and another entry for "Windows Server 2003" with 283 patches. Are these two different products? Or are they the same product with different names?

        Also, you neglected to look at the chart at the bottom. Guess what vendor holds 1st place by almost 70% more than 2nd place?
        • Numbers

          Just click value in "Number of Vulnerabilities" column than compare:

          Second have all vulnerability from first one but also have few more. So we don't speak about different products but about "human error".

          Also, you neglected to look at the chart at the bottom. Guess what vendor holds 1st place by almost 70% more than 2nd place?"""

          And this is pretty funny, Apple have second place and this is not software company, also is nice to click company name ant look on the chart bellow. Apple time line is impressive. In 2012 they have in total 303 vuln. Microsoft who is software company and have much much more own software than Apple in 2012 in total have 173 vuln. WOW.

          Yes, numbers and read ability combined with thinking gives awesome results.
    • If patching means it's insecure

      Then there is no secure software out there.
      Michael Alan Goff
  • Is this supposed to be positive, negative or purely informative?

    MS patching security issues is hardly a bad thing and its something they do most weeks.

    Not sure there is any point to these articles.
    Peter Whitehouse
    • Informative

      It's called journalism :-)
    • It IS informative...

      Excepting Zack's sometimes shakey editing, it is useful to get some of the details of the updates. And Peter, the Patch Tuesday refers to the second Tuesday of each month, when Microsoft releases the bulk of their updates, rather than weekly. We look forward to/dread this each month!
  • Internet Explorer security on Windows client vs. server operating systems

    It would appear that Internet Explorer's built-in protections don't protect users from the vulnerabilities in bulletins MS13-009 and MS13-010. Unless, in the case of MS13-009, you are running Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 as these server OSs come with Enhanced Security Configuration built-into IE as a default. How many users run a server version of Windows?

    o Why has Microsoft made it so hard for their client OS users (NOT enterprise sysadmins) to whitelist frequently-visited sites in the IE "Trusted" Zone?
    o Why has Microsoft not implemented a user-friendly version of Enhanced Security Configuration (that is available in Server 2003) for their client OSs so that users can simply visit a web site, go to the menu and select a menu item to add the site to the IE "Trusted" Zone?
    Rabid Howler Monkey
    • It would appear that you are wrong

      The stated mitigations are mitigations which would *prevent* the attacker from executing code. On the server OSes with enhanced security that is indeed the case as no plugins, no ActiveX and several other extensions are not allowed to start in the first place.

      But the phrase "These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user" is the key. The Internet Explorer, Office 2010 and Chrome low integrity modes (protected modes) *changes* the "current user".

      It is called defense in depth. Even if an attacker exploits these vulnerabilities and can run his shell code inside the exploited application, the *current user* is a severely restricted user with no write permissions *anywhere* (except for a secluded internet cache area).

      The "current user" cannot infect the system.

      No, these vulnerabilities are not a sandbox bypass. The are straight up memory corruptions which *could* allow an attacker to run his own code. But that code would still run inside the protected mode.
      • Nope

        First, how about responding to my questions as they are pertinent to both of the vulnerabilities addressed in ms13-009? As well as pertinent to the mitigations and workarounds detailed for the vulnerabilities in ms13-009. Microsoft's failure to include user-friendly bits from Enhanced Security Configuration in their client OSs is the heart of my comment.

        Second, lets look at what Microsoft says in ms13-009:

        o Windows XP SP3 Internet Explorer 6/7/8 Remote Code Execution Critical
        o Windows Vista SP2 Internet Explorer 7/8/9 Remote Code Execution Critical
        o Windows 7 SP1 Internet Explorer 8/9 Remote Code Execution Critical
        o Windows 8 Internet Explorer 10 Remote Code Execution Critical
        o Windows RT Internet Explorer 10 Remote Code Execution Critical

        Note that Windows Integrity Levels are not supported on Windows XP. Also note that Microsoft's Maximum Security Impact and Aggregate Severity Rating (provided in the bullets above) are the same for all currently-supported client OSs, including Windows XP. Sorry, but I'm going with Microsoft on this one.
        Rabid Howler Monkey
    • Client OS and security in the Enterprise

      Don't be so surprised. It is impossible for the IT department to ensure security if the users are allowed make such choices. The user can submit a request to IT to allow sites and, after a review of the site(s), they can be permitted to access them.
  • Microsoft fixes critical Windows, Office, IE security flaws

    Will be testing and deploying. Nothing says a secure Microsoft Windows like some patches to fix the vulnerabilities. Plus the once a month thing helps instead of doing it daily like you find in other operating systems.
    • ???

      Surely fixing vulnerabilities as soon as is possible is better?
      • Depends

        "Surely fixing vulnerabilities as soon as is possible is better?"

        Actually, no. Or rather: Rarely.

        Security researchers divide the risk a vulnerability is exploited into low-risk and high-risk periods. The high-risk period is when the vulnerability is known but a patch is not yeat available or organizations/users have not yet applied it.

        Patches always have the potential to destabilize systems and applications. In general, users want both stable and secure systems. These two have to be balanced. Mindlessly rushing fixes and patching everything ASAP will invariably lead to some patches disrupting systems. Especially corporations will want to *test* the potential impact before rolling out a patch.

        If you send out patches each day (like Ubuntu) you put your customers on the spot: Either they have to set aside time *each day* to test and verify or they will have to delay and bundle patches. But as the patches are now out and vulnerability information in the open, these become *high-risk* days.

        A balancing compromise is to bundle patches with vulnerability information exposure from the vendor. Once a month system admins will set aside time to verify that critical applications/system will stil work following a patch. And they have only low-risk periods leading up to that point.

        Sure, if you are a home user who can live with the office apps or internet connection or a specific website becoming incompatible, you'd want patches as soon as possible. But as long as the vulnerability information is not in the open you are not in a high-risk period. I can certainly live with that.
  • Still does not address a critical question:

    Why are there vulnerabilities at all and why do all browsers/OS/Servers have them? The answer is simple enough. What do all of these things have in common? Users. Users who demand (sometimes actual users, sometimes imaginary ones in the minds of marketing folks) "features" and "additional capabilities" and "richer multimedia experiences", so the ability of PDFs to download and run software for that "richer multimedia experience".

    You know, I never wanted any of that. I never cared one tiny bit if my buttons could flash and ance and play music. I play multimedia on a player and don't care about getting it embedded on a page. My player can play streaming video.

    Ah, well, it never ends. Been this way since before the internet.
    • Another reason vulnerabilities exist: The Pope Doesn't Design Software

      The Pope is infallible.
      • Infallible?

        Technically, according to Catholic doctrine ONLY on certain specific occasions when he is doing HIS JOB: defining "eternal" dogma (doctrine). Rules against meat on Friday were NEVER imposed by EX CATHEDRA decrees of dogma, only as recommended (STRONGLY recommended) means of exercising devotion; they were changed in the 1960's, no problem. Assumption, Immaculate Conception, and of course (circular reasoning) Papal Infallibility are some of the things that WERE announced ex cathedra, so those CANNOT be changed by a later Pope, in theory. The dogma of infallibility is that on such important matters, God as the Holy Spirit prevents him from speaking incorrectly, just as the Holy Spirit guides the choice of a new Pope.

        I'm not Catholic myself, but I have studied religion informally all my life, and I was always curious enough to learn such details, since they affect history. My own faith is Christian but not dogmatic about doctrine.

        BTW, an intriguing idea, a Pope who can write computer programs. Many priests, especially Jesuits, have been scientists (e.g. Teilhard de Chardin), and this may include some IT people, but they would only have time to do science as a hobby if they want to get up to the Monsignor or Cardinal rank, and by custom (not by theory) the Pope is elected from among the cardinals (theoretically, ANY Catholic man could be chosen as the pope, and he could be ordained a bishop after selection if necessary, but that is as likely as any 35+ American with no prior political career suddenly becoming President).
  • Two Phases?

    I saw nothing in the article about a two phase update, i.e. fix to the fix. I applied the update (4 "important" updates and 1 "optional" update) Tuesday, restarting as instructed, during the day (the "optional" update failed; it was a hardware update I did not recognize, so it was probably offered in error). Tuesday was the President's SOTU, and the White House web site offered a live web feed enhanced with charts and so forth on the side. I logged in for the enhanced feed, it ran about a minute and Windows 7 went dark, shutting down the computer with no warning. On the next three restarts, the same thing happened, so I gave up and just watched the TV version. I was able to pull up the after-speech conference call, which was audio only, with no program.

    This morning, ANOTHER 5 updates (plus the failed "optional" update from Tuesday) were offered! Leaving behind the optional update, the others all installed successfully, and restart was successful. The system has been stable all day, but of course it is too late to test the live webcast, and there will undoubtedly be more updates before next year.

    This leaves me wondering: is it possible that some Microsoft engineers applied the update to their own (or office) computers, then tried to watch the SOTU and got the same error? And being the creators of the patch, then went back into (or stayed late at) the office, found the bugs, and issued a new patch overnight?

    Or could it be that, as a quick look at update history just now showed, some of the patches were recorded as "failed" in the history log Tuesday, and their retries succeeded today, even though the after-restart display showed ONLY the optional update as failing? It seems strange that Windows Update would only show 5 when it was really applying 10, and then not tell me that the other 5 failed, and wait overnight before saying there are another 5 to be applied! The application of only part of the update package would explain why Windows failed on a live webcast.

    Did anyone else have a problem watching the SOTU webcast on, and had Tuesday's patch been applied first? Did anyone else get a followup patch today? Did anyone have the two-phase patch, whether they tried to access the webcast or not? It's not important but I am curious!