14 DAY TRIAL // Microsoft today rolled out this month’s Patch Tuesday updates, but the company has apparently ignored a critical Windows 7 and 8 flaw reported by a Google engineer a few weeks ago.
Tavis Ormandy, currently working as Information Security Engineer at Google, tried to get in touch with Microsoft to report a security issue in the company’s two newest operating systems that could basically allow an attacker to take control of an unpatched computer.
It turned out that Microsoft “treats vulnerability researchers with great hostility,” as he explained in late May, so the Google engineer decided to make the security flaw public.
Even though Microsoft was expected to address the issue with today’s Patch Tuesday, it appears that the company is yet to develop a fix, so an update will most likely be unveiled next month.
Wolfgang Kandek, CTO, Qualys, has said in a statement that Microsoft is most likely working to patch the flaw as we speak, so expect a dedicated update in July 2013.
“Microsoft is not fixing a recent vulnerability that Tavis Ormandy had alluded to in March and has recently (June 3) published an exploit for on the full-disclosure mailing list,” he explained.
“The 0-day vulnerability allows an attacker already on the machine to gain admin privileges, and we can assume that the underground is working to make that vulnerability part of their arsenal. The vulnerability should be addressed next Patch Tuesday unless wider exploitation in the wild is detected.”
On the other hand, Microsoft released five different security bulletins, one of which was marked as “critical” and was supposed to address security flaws found in Internet Explorer. All versions of the browsers got patched today, regardless of the Windows versions they’re running on.
In addition, both Windows and Office received new patches, so make sure you install the available bulletins as soon as possible.