Patch Tuesday: 23 vulnerabilities fixed; IE, Windows, Office

Patch Tuesday: 23 vulnerabilities fixed; IE, Windows, Office

Summary: One "critical" vulnerability and four "important" ones round out this week's software fixes from Microsoft.

SHARE:
TOPICS: Security, Microsoft
10
internet-explorer-10-logo-close-crop-tilt-filter-620x348

Microsoft on Tuesday issued five security bulletins, one rated "critical," that affect its Internet Explorer web browser, Windows operating system and Office productivity software suite. 

The patches address 23 vulnerabilities in total.

The most important one, a cumulative security update for all versions of Internet Explorer coded MS13-047, resolves 19 flaws that could allow remote code execution if a customer views a specially-crafted Web page using the browser. A successful exploit allows the hacker to gain the same user rights as the current user.

The issues were found privately and no attacks have been detected, the company says. It first revealed them last week.

The second bulletin, coded MS13-051, patches a vulnerability in Microsoft Office 2003 and Office for Mac 2011 that could allow remote code execution if a user either opens a specially-crafted Office document using an affected version of Microsoft Office software or previews or opens a specially-crafted email message in Outlook while using Microsoft Word as an e-mail reader. Unlike the first, this update is rated "important."

This flaw was also discovered privately, though Microsoft says it has seen "limited, targeted attacks" for it. 

The final three bulletins all concern Windows. MS13-049 concerns a vulnerability in the Kernel-Mode driver that could allow a denial-of-service if an attacker sends specially crafted packets to the server; MS13-050 concerns a vulnerability in Print Spooler Components that could allow elevation of privilege when an authenticated attacker deletes a printer connection; and MS13-048 concerns a Kernel vulnerability that could allow information disclosure if an attacker logs on to a system and runs a specially crafted application. All were disclosed privately.

Finally, Microsoft issued an advisory that "gives enterprises more options for managing their private public key infrastructure," or PKI, environments. The improved certificate-handling functionality, which was first available in Windows 8, Server 2012 and RT, is now available for Vista through Windows 7.

Topics: Security, Microsoft

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • Xbox music

    Now if they could just fix the problem with Xbox music and the driver issues after the last firmware update.
    arcana1973
  • Kudos to the security researchers;

    Scott Bell, SkyLined, Ivan Fratric, Ben Hawkes, Omair, Stephen Fewer, Aniway.Anyway, Amol Naik, Toan Pham Van, Andrew Lyons, Neel Mehta, Mateusz "j00ru" Jurczyk,
    and several anonymous researchers.

    Thanks.... :)
    daikon
    • Microsoft doesn't close all holes on June patch day

      "The public exploit allows anyone with access to any type of account to execute code at system privilege level – a guest account being perfectly sufficient. The hole has been known since mid-May. It was discovered by Google security researcher Tavis Ormandy, who publicly disclosed it without prior warning. Ormandy released an exploit on the internet a few weeks later. According to currently available information, all versions of Windows are affected.”

      http://h-online.com/-1887051
      daikon
  • Office 2003

    Is MS still supporting it ?? Wow.....
    Vish2801
  • Patch Tuesday: 23 vulnerabilities fixed; IE, Windows, Office

    Thats what they claim anyway........and their will be 23 more next week and 23 more the following week till H*** freezes over.

    You've herd of a FLY catcher......well Windows is a Malware/Virus catcher........
    Over and Out
    • Foolish

      All software is vulnerable. If Linux was actually installed on 90% of computers the bulletins would be concerning it instead of Windows. It's how you respond to these vulnerabilities that is critical and Microsoft has been doing that job very well for quite some time now.

      If you don't understand that you probably don't belong on a tech site like this.
      MajorlyCool
      • There are security bulletins for Linux

        As an example, here's where one finds them for the Debian Project:

        http://www.debian.org/security/

        As for Internet Explorer, many security experts recommend the use of an alternate browser such as Firefox with the NoScript add-on, Google's Chrome/Chromium or Opera. Why? Primarily because one can much more easily put a leash on JavaScript with these alternative browsers than with Internet Explorer. For more on this, see the topic "Put a Leash on Javascript" at this link:

        http://krebsonsecurity.com/tools-for-a-safer-pc/

        P.S. If Microsoft offered Internet Explorer users on its client Windows OSs the option of using it's Enhanced Security Configuration (ESC) which has defaulted on Windows server OSs since Windows Server 2003, using Internet Explorer would be much safer. As an example, every one of this months 19 IE vulnerabilities are mitigated with ESC.
        Rabid Howler Monkey
  • Patch Tuesday: 23 vulnerabilities fixed; IE, Windows, Office

    Hi,

    Just had a quick look at the Microsoft support page. It looks like MS13-047 attempts to resolve 19 flaws not 18 and as discussed. Maybe I have counted wrong?
    greg.lambert@...
    • Yes, you're right

      That's a typo on my part; it's 19. I just updated the post. Sorry about that!
      andrew.nusca
  • Double-reboots!

    I haven't looked at all of the KB articles to figure out which one is doing it, but I noticed this round of patches required two reboots of my Win8/2012 machines. The only other time I've seen that happen was when enabling Hyper-V for the first time.
    PepperdotNet