Microsoft fixes two critical Windows, IE security flaws for April's Patch Tuesday
Summary: Get a strong pot of coffee on, April's Patch Tuesday has arrived. In the latest round of security updates, Microsoft has released patches for nine security vulnerabilities, two of them considered 'critical'.
Microsoft has released two critical security updates for Windows and Internet Explorer as part of its latest round of Patch Tuesday updates.
Included in the patches are seven important updates for Office, SharePoint and Windows Server products, which are hitting the usual update channels today.
The first critical bulletin affects versions of Internet Explorer 6 and above on Windows XP, Windows Vista, Windows 7. It also affects Internet Explorer 10 on Windows 8 and Windows RT-based tablets.
It includes two separate flaws, one that allows remote code execution — such as a malware injection — if an affected user views a specially crafted Web site. This would allow the attacker to access an infected machine at the same user rights level.
Because the attack vector is higher on more Windows-based machines, the first critical flaw affecting Internet Explorer should be first on the agenda.
The second critical bulletin affects the Remote Desktop Client that could allow another such malware injection, which would give the attacker the same user rights as the logged-in user, just as the first flaw.
Both patches fixing the two critical vulnerabilities require the machine to be restarted.
Other vulnerabilities rated as "important" could allow data and information disclosure, or an elevation of privileges on affected machines.
Five of the other seven flaws relate to Windows, as well as software running on the platform.
MS13-036 fixes three privately disclosed flaws and one publicly disclosed flaw in a Windows kernel-mode driver that allows an elevation of privileges, but only affects logged-in users. Another flaw in the Windows kernel, MS13-031, could also allow an elevation of privileges if a user is logged in.
Meanwhile MS13-033 patches a flaw in the Windows Client and Server Run-time Subsystem (CSRSS). Affected software versions include all versions of Windows Server 2003 and 2008, and Windows XP and Vista.
MS13-030 is an important patch that affects SharePoint that could allow unauthorized disclosure of information. MS13-035 fixes a vulnerability in Office that allows an elevation of user privileges from "user" to "administrator" if an attacker sends a malware-ridden file to the user.
Also included with today's patches include a bevy of patches for the Surface RT tablet. ZDNet's Mary Jo Foley has more.
This edition of Patch Tuesday comes at a time when Microsoft is warning that Windows XP support is coming to an end in a year's time. The software giant will no longer provide security updates for the ageing 12-year-old operating system from April 8, 2014.
All patches are available through the usual update channels, including Windows and Microsoft Update.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
let´s update!
would the command be:
$ sudo apt-get remove force internet-explorer ?
Settings -> Change PC Settings -> Windows Update
Permanent update fix
$ sudo apt-get remove force internet
Hope you like living in 1950. It was good enough for Eisenhower, it oughta be good enough for you.
GPO setting
That's pretty hilarious, but
Choose your weapons wisely...
http://www.tatanka.com.br/ies4linux/page/Main_Page
... Reviews....
Follow me...
Oh man, it saved my life! How can I thank you?
is this an endless war?
The hot fix is just like a pill. The doctor (Microsoft) only tells the pill will fix the liver cancer, but he will not be able to tell if the pill will cause more other cancers.
There will always be patches
Linux will also get them.
All software will continue to get patches.
Updates causing crashes?
Thank God for backups, but I had to replace that (under a year old) laptop &
we now have to replace the work desktop.
Hmmmmm
Probably
Work computer
I've bought a Mac for my personal desktop, but work is all Windows & since I need to be able to back up the bookkeeping on that, I got a Windows laptop just in case something like this happened. It has Windows 8 (which is OK but ugly as all get out IMO & not for a "non-touch" computer).
It wasn't an Acer, was it?
They can also just make sure it's good in general.
new laptop here
Seems like you should be testing patches first.
Just like all other Windows users do.
All other Windows users aren't experiencing problems
The old saying "Hindsight is 20:20"
1) Install patch
2) Does your device still work?
If yes -> Done.
else -> You should have tested the patch first, then!
Telling someone that they *should have* (past tense) tested a patch AFTER it has caused problems is not useful. But if you have a means of determining which Windows users should test patches BEFORE they cause problems then I am all ears.
"I assume you had a point?"
Yes - Are you somehow expecting Windows users to be *psychic*? Consider 6 people playing "Russian Roulette": you are basically blaming the loser for losing, but giving the other 5 a free pass.
I'm advocating no such thing.
Except people only get problems AFTER installing.
"And our main computer (which controlled all others & was set to auto updates) crashed early this morning."
"My laptop crashed right after an update 2-3 months ago right after an update."
These are two incidents on *different* devices: both devices fine until they crash right after an update.
"I'm stating this particular user should test patches..."
Or maybe "this particular user" is simply responsible for more machines than Mom 'n Pop, and so is more likely to see a failure? You can offset that by considering an equivalent group of Mom 'n Pop users instead. (Who would also be incapable of posting about their problems on ZD-Net AFTER their machine has broken due to a bad update, BTW). How are Mom and Pop supposed to protect themselves?
The Russian Roulette metaphor is valid; you just need to think about it more.