Patch Tuesday: Microsoft to fix five critical security flaws

Patch Tuesday: Microsoft to fix five critical security flaws

Summary: Plug everything in and prepare the systems: Patch Tuesday is coming. Microsoft will release patches for nine security vulnerabilities, five of them considered 'critical.'

SHARE:

Microsoft will release nine security patches next week for Windows, Internet Explorer, and Office, along with a splattering of enterprise products, such as Exchange and SQL Server.

Five of the patches are for critical vulnerabilities. 

The patches will fix flaws that allow remote code execution, which would give hackers and malware writers access to install malware without user prompts or permission. Microsoft describes 'critical' as an exploit that "could allow code execution without user interaction" such as opening an email or Web page.

Internet Explorer will see its third update in as many months, following security updates in June and July. Typically the software giant updates the browser every other month, but reversed the decision which was welcomed by security experts and firms. 

Only Bulletin 6 for Windows refers to an elevation of privilege, which can allow malware to bump the permissions of the user to allow malware to access the far reaches of the operating system's critical files. The rest relate to malware injection to users' machines.

Microsoft doesn't release the full details of the vulnerabilities until patches are made available. This will be the first update for email server Exchange 2007 and 2010 since December 2010.

This should serve as an advisory notice for the upcoming Tuesday, August 14, when the patches are released through the usual update channels.

Topics: Security, Browser, Malware, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

79 comments
Log in or register to join the discussion
  • Wow

    More remote code execution vulnerabilities - I thought they fixed that last month. And the month before. And the month before that. And the previous month. And...
    HackerJ
    • remote code execution

      There seems to be no end to the ingenuity and innovations in Redmond.
      eulampius
      • Let's face it.

        There is only 1 critical flaw...Microsoft Windows warez!
        NOmoreMicrosoftATall
        • or even more succinctly..

          Microsoft warez...
          NOmoreMicrosoftATall
    • Very strange!!!

      Yes, it is very strange that bugs are being found in a huge software.

      I thought it is possible to develop a bug free software NOT.
      wmac1
    • So you expect that all

      remote code execution, in all things, will be patched at the same time?
      Michael Alan Goff
    • What "fixing bugs" means in your world.

      You must think that there's some magic RemoteCodeExecution switch that when set to 0 (registry key, perhaps?) will forever prohibit anyone from exploiting Windows with such an attack vector.

      You also seem to be under the impression that the code fixes going out each month are reactive to actual incurred incidents, but in fact the vast majority of these fixes are proactively found by MSFT's security team ahead of time, and plugged before it becomes well discovered and exploited.

      The fact is, there are tons of crafty ways of discovering and taking advantage of these loopholes in operating systems, not just Windows. All eyes and ears of blackhat malware and virus devs are honed in on Windows because that's where they can make their mark count the most. iOS and OSX very likely have many of these holes large enough to drive a truck through, but is of no concern because nobody's trying to exploit them. Or, rather, not very many....there's increasing evidence now that that's changing.

      Announcement of MSFT releasing new vulnerability fixes should be met with favorable response (i.e. the system is that much more secure now than it was before), versus the knee-jerk "omg, they found yet ANOTHER hole in Windows, when will this end?"
      milo ducillo
  • Patch for Patch

    I think they release patches sometimes just to patch what they may have broken from the previous patch or to let us know they are still there so they are not forgotten!
    douglas.jefferey
    • It's a shame that software patching

      has earned itself the false reputation from the generally uninformed public that software is yet again proved shoddy and ill-designed.

      Rather it should be viewed with positive connotation in that the software is that much better than it ever was.

      Let's face the facts. Massively based software code of millions and millions of lines are going to contains lots of bugs. That's just nature of human error. The real game is finding them, prioritizing them, and stamping them out as fast as possible.

      Sometimes this is done proactively well ahead of the user community, and sometimes the user community brings it to light before the developers discover the use cases that were not immediately obvious during the design phase of the software.

      Whatever the case may be, it's naive to make the assumption that the dev team is negligent when hearing about release of new patches. Rather they should be commended for finding such problems and addressing them.

      The only time I'm critical of the patch writers is when the problem is well-known for a long time before anything is ever done about it.
      milo ducillo
  • Haven't had an iPad OS

    patch in a while. I guess Apple doesn't care, because not have a remove code thingabob isn't possible, right? Right? Is anybody there? Where'd everyone go?
    Tony Burzio
  • Restart required

    I am curious what does the term "Restart required" mean? More precisely, does this meant restart of the whole machine or of the application only? Even in that case you's have to reboot the system. Interestingly, Microsoft engineers haven't managed to clean their mess yet. A user might get annoyed by the constant reboots and ignore next patches entirely.

    A couple more questions.
    --What does "May require restart" mean? The updater or Windows packager can't tell if you have to reboot or not?
    --Do you have to restart after applying every patch or you can apply all the patches at once? Reboot cycles were known to bother Windows users in thee past.
    eulampius
    • Files being used

      If library or executable files are locked and running, it is not possible to replace the file (or changes may crash the software). Restart ensures that all replacing files are free and can be replaced without problem.
      wmac1
      • possible on other systems

        >>If library or executable files are locked and running, it is not possible to replace the file (or changes may crash the software)
        It is possible in most cases on other OS's. If an office application is restarted than only the office application might need to be restarted. Moreover, sometimes just a part of an application needs a rest. Say, if I update/install a new elisp library for GNU Emacs, I just load/reload it without restarting my emacs/client server. It concerns Emacs for Windows too, I suppose.

        This demonstrates a proper way of writing the code.
        eulampius
        • Very dangerous unless you are extremely knowledgeable

          I've heard of many reports where people patch their Linux system but don't restart the appropriate parts. Guess what: you have a "patched" system that is still 100% vulnerable to old exploits. Oops.

          I know it is very popular to make a big deal about rebooting once a month. If I switched to Linux, I would gain 2 minutes a month in productivity from not having to wait for a reboot. I would lose hours a month trying to figure out exactly which processes I need to end so that the vulnerable libraries get released and the patched libraries get loaded.

          That is why Linux has a much higher TCO.
          toddbottom3
          • @Todd Jobs

            Toddy, looking good with these horns of yours :)
            >>I've heard of many reports where people patch their Linux system but don't restart the appropriate parts.
            You might have heard many things, however, in most cases, either a user gets notified that restart of the particular application is required (a corresponding icon will pop up on the panel) or a service will be restarted by the updater automatically.

            Maybe it's very hard for a Windows habitue to know what to restart, for normal people it is not: if the app X is updated, restart the said app X, duh?
            TCO is higher for Linux? Did you "Get the Facts" then?
            eulampius
          • Wow, you just gave a great example

            "if the app X is updated, restart the said app X, duh?"

            Ah, I didn't realize Linux was so simple.

            Hey, what a coincidence. My friend just called me and said that he updated his glib library. I told him to restart the glib app. I did good, right?
            toddbottom3
          • Actually

            You can just drop back down to terminal releasing X11 .. All programs from there will stop running.. Then restart services .. rerun startx .. Done..
            Less than a minute reinitialize the system /w the new patched libraries.

            Why figure out what process to run.. Most services are like this.. Server environment , Ksplice for kernel or patch then restart the process.. On apache you can restart it while letting apache complete the prev threads/processes no downtime.
            Anthony E
          • Thanks for the info

            "Less than a minute reinitialize the system /w the new patched libraries."

            Now we are down to Linux saving me 1 minute a month.

            Assuming I lose 0 productivity after switching to Linux, how many minutes will it take me to install Linux, transfer my files and settings, find replacement applications, install those replacement applications, convert my documents and files (if possible) and learn a whole new OS? If I can do that in 12 minutes or less, I'm sold because then it means that the switch will have paid for itself in a year or less.

            Let's be honest though, it will take more than 12 minutes. Let's be optimistic and say 6 hours. Now we are talking about a switch that will take 72 years to pay for itself in increased productivity. I don't plan on being alive 72 years from now.

            Anything else you want to sell me?
            toddbottom3
          • Linus (Mint, Ubuntu) is effortless and doesn't require any worrying.

            You update by clicking an Icon and applying the updates to both the OS and installed software in one operation. It never is any cause for concern. Any lay person can do it without any thinking involved.

            We've been using Linux for almost 11 years without using any anti-virus and we never had any problems. Absolutely nothing.

            The free programs work very well and take the place of the Microsoft programs. LibreOffice comes with Mint and Ubuntu and is very powerful and can be configured to save in all the popular Microsoft formats like .doc, .xls, .mdb, .ppt so it's a great alternative for grade school, high school, or college kids that need reliability and security.

            Google Earth, Google Picasa, Gimp (similar to Photoshop) and 33,000 other free programs aree available for installation through the included software manager utility.
            Joe.Smetona
          • Linux, LibreOffice and Microsoft Access *.mdb files?

            It's news to me that LibreOffice on Linux can save MS Access *.mdb files. Have you actually done this?

            The "magic" for *.mdb files on Linux is the open-source mdbtools:

            http://mdbtools.sourceforge.net/

            A number of distros, including Debian and Ubuntu, provide mdbtools packages.
            Rabid Howler Monkey