Microsoft plans critical security update for Tuesday. Patch before you’re pwned

Graham Cluley

SpannersMicrosoft says it will be issuing seven security updates, including six that the firm classifies as “critical”, on Tuesday 9 July.

In an advance notification, Microsoft explained that the security updates would tackle remote code execution vulnerabilities in Internet Explorer, Lync, Visual Studio, MS Office, SilverLight and the .NET framework.

The risk is that if your computer isn’t properly protected against the vulnerabilities, malicious hackers could exploit them to install malware onto your computer and effectively (please excuse the leetspeek) “pwn” it.

Other patches expected in the latest “Patch Tuesday” bundle, include important fixes for Microsoft’s Windows Defender security software.

Amongst the critical vulnerabilities expected to be fixed is a zero-day vulnerability discovered in Microsoft’s kernel code by Google security engineer Tavis Ormandy.

Ormandy controversially published details of the vulnerability, and later published a working exploit, rather than responsibly disclosing details to Microsoft.

Tavis disclosure

Of course, Tavis Ormandy doesn’t believe he was acting irresponsibly. His argument is that users can better protect themselves if information about vulnerabilities, and how to exploit them, is available for all – whether cybercriminal, office worker, or elderly Great Aunt Agatha – to read on the internet.

Others, like me, believe that security researchers should engage responsibly with software firms to get problems fixed before revealing details of how they can be exploited. The antics of some researchers always leave me with the impression that they are more interested in showing the world how clever they are – rather than doing what’s right for the majority of internet users.

Take, as a model of vulnerability disclosure done right, the recent huge security problem discovered in Facebook which could have meant that cybercriminals could hack any Facebook account just by sending an SMS text message.

The British researcher “fin1te” (real name Jack Whitten) who found that security hole could have gone public about the flaw, and potentially made a big name for himself.

But instead he acted responsibly. He told Facebook about the flaw, and nobody else. Facebook acted quickly to seal the security hole, and a billion Facebook users were protected from potentially having their accounts hijacked.

Yes, Whitten received a $20,000 reward for bringing the flaw to Facebook’s attention – but he could have potentially made a great deal more if he had sold details of the flaw to identity thieves.

More security researchers should act responsibly like Whitten, rather than potentially putting Great Aunt Agathas at risk.

Microsoft likes to give advance warning of the security patches it plans to issue, so IT teams can ready themselves and ensure that they have the right resources to roll them out across networks of computers promptly.

But if you are personally responsible for the security of your computer, you might find it easier to check that you have automatic updates enabled.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Microsoft plans critical security update for Tuesday. Patch before you’re pwned”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES