Microsoft Issues Nine Patches for 37 Bugs
Microsoft has issued nine patches for 37 issues in Windows, Office, SQL Server, Net Framework and SharePoint Server, according to the company’s August security bulletin.
The advisory patches fix severe vulnerabilities such as remote code execution, privilege escalation and security feature bypass.
“The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer,” the IE security update (MS14-051) said. “An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.”
There are 26 patched Internet Explorer flaws in total, ranging from IE 6 to IE 11, as only one was disclosed and 25 others undisclosed.
Another remote code execution flaw was found in Windows Media Center that could allow an attacker to gain the same rights as the affected user.
.NET Framework didn’t escape the patching this time, as a security bypass vulnerability was found and its details are undisclosed. An attacker could bypass the Address Space Layout Randomization (ASLR) via a specially crafted website.
“The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, that could take advantage of the ASLR bypass to run arbitrary code,” said the MS14-046 security bulletin.
The last critical vulnerabilities are privilege escalation flaws found in the Kernel-Mode Drivers. The exploit could allow an attacker to escalate privileges if he “logs on to the system and runs a specially crafted application.” This time the attacker “must have valid logon credentials and be able to log on locally” to exploit it.
Microsoft Windows users are advised to apply the latest update for their own security. These patched vulnerabilities are rated as severe and their exploitation could be damaging.