Microsoft today rolled out this month's Patch Tuesday updates to fix a total of 13 different vulnerabilities in its software, including Windows, Internet Explorer, and Office.
According to an advisory released by the company this morning, the eight security bulletins, two of which are rated critical and six considered to be important, fix flaws in NET Framework, Office, SharePoint, Internet Explorer, and Windows which Microsoft says you need to patch as soon as possible.
Microsoft Office is one of the software solutions that received updates this Patch Tuesday and as promised, Office 2003 is being left out from this month's rollout. The software giant says that the proofing tools in Microsoft Office 2007, 2010, and some RT versions are “vulnerable to a bug in the way Office checks Chinese grammar, specifically in how it loads a particular DLL.”
“By putting a malicious DLL with a particular name in a particular network directory, an attacker could get users to load attack code,” the company explained.
A second vulnerability only affects Office 2013 and implies that the user visits a malicious websites which can be used to obtain access tokens from Office.
An update aimed at Internet Explorer users is said to be “the most critical” released this Patch Tuesday and everyone is recommended to deploy it as soon as possible.
“All supported versions of Internet Explorer on all supported versions of Windows (this no longer includes Windows XP) are vulnerable to two memory corruption vulnerabilities which could result in remote code execution. Microsoft says they are aware of limited attacks that attempt to exploit one of the vulnerabilities in Internet Explorer,” Microsoft says.
Last but not least, security bulletin MS14-027 is supposed to fix a problem in Windows that would expose user data in the case of an exploit taking advantage of a Windows Shell bug that causes improper handling of file association. All versions of Windows are vulnerable to attacks, so Microsoft is recommending everyone to patch as soon as possible.
“All versions of Windows are vulnerable to an elevation of privilege vulnerability when the Windows Shell improperly handles file associations. A successful attacker could run code in the LocalSystem context. Microsoft says they are aware of limited attacks that attempt to exploit this vulnerability,” it says.
As usual, all patches are being delivered via Windows Update, so it's enough to connect your computer to the Internet and wait until they are automatically downloaded and installed. Some might require a system reboot.