Microsoft fixes two critical Windows, IE security flaws for April's Patch Tuesday

Microsoft fixes two critical Windows, IE security flaws for April's Patch Tuesday

Summary: Get a strong pot of coffee on, April's Patch Tuesday has arrived. In the latest round of security updates, Microsoft has released patches for nine security vulnerabilities, two of them considered 'critical'.

SHARE:
TOPICS: Security, Microsoft
54

Microsoft has released two critical security updates for Windows and Internet Explorer as part of its latest round of Patch Tuesday updates

ie9

Included in the patches are seven important updates for Office, SharePoint and Windows Server products, which are hitting the usual update channels today.

The first critical bulletin affects versions of Internet Explorer 6 and above on Windows XP, Windows Vista, Windows 7. It also affects Internet Explorer 10 on Windows 8 and Windows RT-based tablets.

It includes two separate flaws, one that allows remote code execution — such as a malware injection — if an affected user views a specially crafted Web site. This would allow the attacker to access an infected machine at the same user rights level. 

Because the attack vector is higher on more Windows-based machines, the first critical flaw affecting Internet Explorer should be first on the agenda.

The second critical bulletin affects the Remote Desktop Client that could allow another such malware injection, which would give the attacker the same user rights as the logged-in user, just as the first flaw.

Both patches fixing the two critical vulnerabilities require the machine to be restarted.

Other vulnerabilities rated as "important" could allow data and information disclosure, or an elevation of privileges on affected machines. 

Five of the other seven flaws relate to Windows, as well as software running on the platform. 

MS13-036 fixes three privately disclosed flaws and one publicly disclosed flaw in a Windows kernel-mode driver that allows an elevation of privileges, but only affects logged-in users. Another flaw in the Windows kernel, MS13-031, could also allow an elevation of privileges if a user is logged in.

Meanwhile MS13-033 patches a flaw in the Windows Client and Server Run-time Subsystem (CSRSS). Affected software versions include all versions of Windows Server 2003 and 2008, and Windows XP and Vista.

MS13-030 is an important patch that affects SharePoint that could allow unauthorized disclosure of information. MS13-035 fixes a vulnerability in Office that allows an elevation of user privileges from "user" to "administrator" if an attacker sends a malware-ridden file to the user.

Also included with today's patches include a bevy of patches for the Surface RT tablet. ZDNet's Mary Jo Foley has more. 

This edition of Patch Tuesday comes at a time when Microsoft is warning that Windows XP support is coming to an end in a year's time. The software giant will no longer provide security updates for the ageing 12-year-old operating system from April 8, 2014.

All patches are available through the usual update channels, including Windows and Microsoft Update.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

54 comments
Log in or register to join the discussion
  • let´s update!

    hummmmm

    would the command be:

    $ sudo apt-get remove force internet-explorer ?
    mxgms
    • Settings -> Change PC Settings -> Windows Update

      Honestly, I thought that the Linux community was more mature than that.
      ForeverCookie
    • Permanent update fix

      More like:

      $ sudo apt-get remove force internet

      Hope you like living in 1950. It was good enough for Eisenhower, it oughta be good enough for you.
      progan01@...
    • GPO setting

      Block CHROME malware install in /user folder since google thinks it is funny to give users a way to install google malware around the program folders.
      hoppmang
    • That's pretty hilarious, but

      Fortunately, Internet Explorer is not available for Linux. Maybe you can try that on a Mac?
      Richard Estes
      • Choose your weapons wisely...

        ...Internet Explorer for Linux.

        http://www.tatanka.com.br/ies4linux/page/Main_Page
        Joe.Smetona
        • ... Reviews....

          How can I get this wonderful software?

          Follow me...
          Oh man, it saved my life! How can I thank you?
          Joe.Smetona
  • is this an endless war?

    MS has been doing the patching for about 20 years. Each month, there is long lists of flaws to fix. how many of them of new and derived from the patches?

    The hot fix is just like a pill. The doctor (Microsoft) only tells the pill will fix the liver cancer, but he will not be able to tell if the pill will cause more other cancers.
    SmilingGuy
    • There will always be patches

      OS X will get them, only in larger lumps less frequently.

      Linux will also get them.

      All software will continue to get patches.
      Michael Alan Goff
      • Updates causing crashes?

        And our main computer (which controlled all others & was set to auto updates) crashed early this morning..... coincidence? My laptop crashed right after an update 2-3 months ago right after an update. Another coincidence??

        Thank God for backups, but I had to replace that (under a year old) laptop &
        we now have to replace the work desktop.

        Hmmmmm
        Itsy1958
        • Probably

          considering my computer is set to auto-updates and... it hasn't crashed. In fact, it just tells me to restart in 2 days or else it'll restart for me.
          Michael Alan Goff
          • Work computer

            was almost never turned off, unless the power blinked/went out. My laptop was, of course, turned on & off every time it was used.

            I've bought a Mac for my personal desktop, but work is all Windows & since I need to be able to back up the bookkeeping on that, I got a Windows laptop just in case something like this happened. It has Windows 8 (which is OK but ugly as all get out IMO & not for a "non-touch" computer).
            Itsy1958
          • It wasn't an Acer, was it?

            Windows is susceptible to a bad experience if the OEM can't get their crap together. It's another reason why Macs are perceived as better. Apple can make the OS and can make sure that the hardware is good for it.

            They can also just make sure it's good in general.
            Michael Alan Goff
          • new laptop here

            another new laptop here, a Toshiba, it also had windows 8 on it, after one week of use, it now has windows 7 pro and to me with how I use it, it works better.
            charlieg1
        • Seems like you should be testing patches first.

          If you're having so many problems.
          ye
          • Just like all other Windows users do.

            Oh, wait....
            Zogg
          • All other Windows users aren't experiencing problems

            I assume you had a point?
            ye
          • The old saying "Hindsight is 20:20"

            You are basically advocating that Windows users follow this procedure:

            1) Install patch
            2) Does your device still work?
            If yes -> Done.
            else -> You should have tested the patch first, then!

            Telling someone that they *should have* (past tense) tested a patch AFTER it has caused problems is not useful. But if you have a means of determining which Windows users should test patches BEFORE they cause problems then I am all ears.

            "I assume you had a point?"

            Yes - Are you somehow expecting Windows users to be *psychic*? Consider 6 people playing "Russian Roulette": you are basically blaming the loser for losing, but giving the other 5 a free pass.
            Zogg
          • I'm advocating no such thing.

            I'm stating this particular user should test patches prior to installation because this particular user has had repeated problems.
            ye
          • Except people only get problems AFTER installing.

            Read @Itsy1958's post again:

            "And our main computer (which controlled all others & was set to auto updates) crashed early this morning."

            "My laptop crashed right after an update 2-3 months ago right after an update."

            These are two incidents on *different* devices: both devices fine until they crash right after an update.

            "I'm stating this particular user should test patches..."

            Or maybe "this particular user" is simply responsible for more machines than Mom 'n Pop, and so is more likely to see a failure? You can offset that by considering an equivalent group of Mom 'n Pop users instead. (Who would also be incapable of posting about their problems on ZD-Net AFTER their machine has broken due to a bad update, BTW). How are Mom and Pop supposed to protect themselves?

            The Russian Roulette metaphor is valid; you just need to think about it more.
            Zogg