Patch Tuesday: 23 vulnerabilities fixed; IE, Windows, Office

One "critical" vulnerability and four "important" ones round out this week's software fixes from Microsoft.


Microsoft on Tuesday issued five security bulletins, one rated "critical," that affect its Internet Explorer web browser, Windows operating system and Office productivity software suite. 

The patches address 23 vulnerabilities in total.

The most important one, a cumulative security update for all versions of Internet Explorer coded MS13-047, resolves 19 flaws that could allow remote code execution if a customer views a specially-crafted Web page using the browser. A successful exploit allows the hacker to gain the same user rights as the current user.

The issues were found privately and no attacks have been detected, the company says. It first revealed them last week .

The second bulletin, coded MS13-051, patches a vulnerability in Microsoft Office 2003 and Office for Mac 2011 that could allow remote code execution if a user either opens a specially-crafted Office document using an affected version of Microsoft Office software or previews or opens a specially-crafted email message in Outlook while using Microsoft Word as an e-mail reader. Unlike the first, this update is rated "important."

This flaw was also discovered privately, though Microsoft says it has seen "limited, targeted attacks" for it. 

The final three bulletins all concern Windows. MS13-049 concerns a vulnerability in the Kernel-Mode driver that could allow a denial-of-service if an attacker sends specially crafted packets to the server; MS13-050 concerns a vulnerability in Print Spooler Components that could allow elevation of privilege when an authenticated attacker deletes a printer connection; and MS13-048 concerns a Kernel vulnerability that could allow information disclosure if an attacker logs on to a system and runs a specially crafted application. All were disclosed privately.

Finally, Microsoft issued an advisory that "gives enterprises more options for managing their private public key infrastructure," or PKI, environments. The improved certificate-handling functionality, which was first available in Windows 8, Server 2012 and RT, is now available for Vista through Windows 7.