Alerts & Reports : Towerwall Security / Vulnerability Alert: Microsoft announces five Bulletins for Patch Tuesday, including Office for Mac
Midsummer Patch Tuesday (or midwinter, depending on your latitude) takes place on Tuesday 11 June 2013.
As you probably already know, Microsoft publishes an official Advance Notification each month to give you early warning of what's coming.
These early notifications generally don't give any details, summarizing only the basics, such as:
The number of Bulletins (read: security patches) you'll get.
The severity levels (read: urgency) of the patches.
So it sounds on the surface like a light month, with only two remote code execution (RCE) vulnerabilies to worry about.
Take note, however, that Microsoft's Affected Software chart states that one of the RCEs is a vulnerability in Internet Explorer 6 to Internet Explorer 10, on platforms from Windows XP right up to Windows 8 and Windows RT.
That makes it a risk to almost every Windows user out there.
The other RCE, which isn't rated critical, affects Office.
Interestingly, the versions at risk seem to be Office 2003 for Windows, and Office 2011 for Mac, meaning that this isn't just a Windows Patch Tuesday.
→ As usual, Server Core installations aren't affected by the vulnerability in Internet Explorer (nor by the hole in Office), because Server Core deliberately omits the graphical components required to run GUI-based software like browsers, file viewers and word processors. You won't get caught out by surprise on Server Core when you visit a website, look at an image, or open a risky PDF file - for the compellingly simple reason that, by design, you can't do any of those things. We recommend that you use Server Core whenever technically possible.
There's also an update dealing with an elevation-of-privilege (EoP) flaw listed as being simply in "Windows."
The burning question is whether this fix deals with a vulnerability in the Windows kernel recently disclosed by Google researcher Tavis Ormandy, who published a working exploit on the Full Disclosure mailing list about three weeks ago.
Ormandy's initial Full Disclosure post appeared on 17 May 2013, noting that he had found a potentially exploitable vulnerability and asking for help to turn the bug into a working exploit.
Three days later, he'd solved his own problem and published what he claimed to be working exploit for all supported versions of Windows.
Note that EoPs don't always get critical ratings because they're often local exploits that can't be triggered remotely.In such cases, you have to land before you can expand: you need to break into your victim's computer first, for example by using an RCE, and then use the EoP to "promote" yourself to administrator level.Of course, if you're able to pull off an RCE in the first place, you can still infect your victim and wreak plenty of havoc, because malware doesn't need root-level access to log keystrokes, steal files, send spam and much more.But an RCE followed by an EoP makes everything much worse, since any malware you unleash can do much more harm, such as altering system services, sucking data out of memory belonging to other processes, and even manipulating the operating system kernel itself.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.