Microsoft has warned that next week’s Patch Tuesday release will include fixes for critical flaws in every version of Windows running on every type of computing hardware, from the biggest datacenter servers to the lightest ultrabooks.
The unusually large set of security patches will fix a series of critical flaws that affect every version of Windows both at the kernel, in .NET and a host of the company’s most widely used applications.
The round of patches Microsoft will release June 9 are designed to fix holes in security that would allow remote attackers to elevate themselves to administrator on Windows systems and execute code remotely without tipping off intrusion detection or anti-malware systems.
The six updates listed as “critical” in Microsoft’s advance notification security bulletin would allow remote code execution via weaknesses in Microsoft Windows, Microsoft Office, Microsoft .NET Framework, Silverlight, Visual Studio, Lync and Internet Explorer.
A seventh, rated as only “important,” would allow attackers to elevate their own privileges to administrator by exploiting a weakness in versions of Windows Defender running on Windows 7 and Windows Server 2008 R2.
Microsoft will also issue an update to its Malicious Software Removal Tool, designed to accommodate the other updates and detect attacks based on the latest set of security holes.
The advance notice is an unusually public way to announce fixes for a major security flaw—but so is information about the flaw itself. In March, Google researcher Tavis Ormandy identified a flaw in the EPATHOBJ::pprFlattenRec function of the Windows Kernel. But rather than let Microsoft know about the problem by email (as the company prefers that developers do), Ormandy posted information about the “pretty obvious bug” on a Seclists.org Full Disclosure mailing list, in March and again in May. His posts described the flaws and asked for help from the community to resolve them because “I don’t have much free time to work on silly Microsoft code.”
Ormandy later posted a sample exploit for the privilege-escalation bug and noted that another is already available in the wild. That wasn’t the first time Ormandy chose to go public with a bug disclosure rather than take the sotto voce approach, which most major developers prefer because it allows them to learn of potential risks without increasing the risk inherent in a public disclosure before a fix is available.
Microsoft rebuked Ormandy in 2010 for previous public disclosures, according TheH Security. Ormandy is one of several well-known bug hunters and security specialists who have complained about the slow pace with which Microsoft addresses security flaws. “If I had reported the… issue without a working exploit, I would have been ignored,” he wrote in FullDisclosure about the Internet Explorer bug he identified in 2010.
Microsoft complained at the time of having only five days to work on the flaw before Ormandy went public with it.
“If you confirm [the flaw] is exploitable, feel free to send your work to Microsoft if you feel so compelled, if this is your first time researching a potential vulnerability it might be an interesting experience,” Ormandy wrote in a May 15 blog posting addressing fellow security researchers about his discovery. “Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using tor and anonymous email to protect yourself.”
By policy, to keep from publicizing a flaw before fixing it, Microsoft normally discloses security problems only when they are about to be fixed. A KnowledgeBase article posted along with the update notice details non-security based updates to Windows servers and workstations, with pointers to more detailed information on each. A webcast discussion about the security flaws, during which Microsoft will allow customers to ask questions, will be held at 11 a.m. Pacific time, July 10, 2013.
Image: Bruce Rolff/Shutterstock.com