Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Microsoft Patch Tuesday: Two critical fixes, many affected WIndows users

Windows 7 and Windows Server 2008 R2 patches will keep IT departments busy

Article comments

Microsoft is issuing two critical fixes on this month's Patch Tuesday, one of them affecting its most popular operating system -- Windows 7 -- in conjunction with Windows Server 2008 R2.

That problem allows remote execution of code on unpatched machines without users doing anything, a situation Microsoft always deems critical.

The other critical bulletin addresses a vulnerability that affects the full range of Windows desktop operating systems from Windows XP to Windows 8 as well as Windows Server 2003, 2008, 2008 R2 and 2012, and also leaves the systems open to remote code execution. "It is likely that it is a vulnerability in one of the base libraries of Windows that is widely used, such as Windows XML Core Services, which had its last fix in July of 2012," says Qualys CTO Wolfgang Kandek.

While that's a relatively light load in terms of numbers of critical warnings, it doesn't mean it will be easy on IT departments making the patches. "There are a lot of restarts this month and they impact nearly all of the Windows operating systems," says Paul Henry, security and forensic analyst at Lumension, a security, vulnerability and risk management company.

One of the five bulletins designated important - No. 5 - may end up being the most significant in terms of wiping out the threat, says Alex Horan, senior product manager, CORE Security. The problem is located in Vista SP 2, Server 2008 and Windows 7. "This has the potential for the most long-term issues as it represents an extremely large base of potential targets if it is not rectified properly," Horan says.

This includes Windows RT, the new power-pinching version of Windows 8 for devices based on ARM processors, which is affected by the vulnerability addressed by the second of the critical bulletins as well as by three others that are ranked important, Henry notes. Users should get accustomed to it, he says. "The system has been patched a few times already since being released late last year, and we expect to see it included in many of this year's Patch Tuesdays," he says.

None of the bulletins this month directly address a zero-day vulnerability found in the wild over the weekend in fully patched versions of Internet Explorer 6, 7 and 8. The flaw allows attackers to gain control of affected machines. The attack comes from malicious Web sites containing content that exploits the vulnerability in visiting browsers, Microsoft says.

The company has issued a workaround but not a patch, and IT departments should make implementing the workaround their top priority, Henry says.

It would be surprising if Microsoft had developed the IE patch already, says Andrew Storms, director of security operations for nCircle. "It would have taken a miracle for Microsoft to patch a zero-day one week after a zero-day advisory," he says.

However, it is possible that one of this month's patches will repair operating-system vulnerabilities the IE attack could exploit, says Henry. With the details Microsoft has released so far it's impossible to tell. "If the browser is just a path to an underlying vulnerability in the operating system, then this issue will likely be fixed by one of the patches. If the vulnerability is exclusive to the browser, on the other hand, then this is still something to watch out for," Henry says.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *