July's Patch Tuesday fixes 6 critical Microsoft flaws

Along with rolling out seven security bulletins for Patch Tuesday, Microsoft also introduced a policy giving developers 180 days to fix bugs

If you use the Windows operating system, or just about any of the core products offered by Microsoft, it's time to install some crucial updates. Today, Microsoft pushed out seven new security bulletins--along with their accompanying patches--as well as a new policy that affects both third-party apps and those developed by Microsoft itself.

Of the seven security bulletins, six of them are rated Critical, while the remaining one is ranked as Important. The Critical security bulletins affect Windows, Internet Explorer, Microsoft Office, Silverlight, and more. The Important security bulletin addresses a privilege elevation flaw in the Windows Defender security software, so that definitely shouldn't be ignored.

Ross Barrett, senior manager of security engineering at Rapid7, stressed this isn't your typical Patch Tuesday announcement. "Basically everything in the core Microsoft world is affected by one or more of these; every supported OS, every version of MS Office, Lync, Silverlight, Visual Studio and .NET. It's going to be a busy time for security teams everywhere."

Tyler Reguly, technical manager of security research and development at Tripwire, said it can be difficult to prioritize patch deployment when almost all of them are Critical. "Luckily, there's safety in the known, so customers should patch Internet Explorer first, a common theme for Microsoft patch drops."

That means start with MS13-055--the ever-popular cumulative patch update for the Internet Explorer web browser. Reguly feels that MS13-053 should be next in line for attention after MS13-055 because it fixes a vulnerability that is already being exploited in the wild.

Qualys CTO Wolfgang Kandek agrees that MS13-053 and MS13-055 are the top priorities, but in his mind the urgency is flip-flopped. In a blog post, Kandek believes that MS13-053 is the most crucial because it affects all versions of the Windows OS, and addresses vulnerabilities that are being actively exploited. Kandek warns, "The most likely attack vector is through end users browsing a malicious web page or opening an infected document, which results in Remote Code Execution that gives control of the affected machine to the attacker."

The other big news from Microsoft is the unveiling of a new policy that places a countdown clock on dealing with vulnerabilities. Craig Young, Tripwire security researcher, explained, "Under the new policy, any app in any of the four [Microsoft] app stores will be given 180 days to resolve reported code execution bugs. This policy applies to 3rd-party developers as well as Microsoft's own applications and is a great addition to Microsoft's existing policy of scanning and reviewing app submissions."

This new policy from Microsoft is significant for businesses that rely on Microsoft platforms and devices. Six months is still a long time for a vulnerability to be in place--especially Critical or Important vulnerabilities that can potentially be exploited to execute malicious code remotely--but the policy shows Microsoft's continued commitment to security. The policy applies to all apps available through the Windows Store, Windows Phone Store, Office Store, or Azure Marketplace."

The policy does not, however, apply to vulnerabilities that are being actively exploited in the wild. Flaws that pose an imminent or ongoing threat are handled with greater urgency. According to a blog post from Microsoft, "In those cases, we'll work with the developer to have an update available as soon as possible and may remove the app from the store earlier."

If you have Automatic Updates enabled, sit back and relax, but plan on your system rebooting at some point to finish applying all of the necessary patches. If you don't use Automatic Updates, get cracking! You've got a lot of Critical patches to install.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesWindows 8MicrosoftsecurityWindowssoftwareoperating systemsbusiness security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts