Microsoft fixes two critical flaws for April's Patch Tuesday

In the latest round of security updates, Microsoft has released patches for nine security vulnerabilities, two of them considered "critical."

Microsoft has released two critical security updates for Windows and Internet Explorer as part of its latest round of Patch Tuesday updates

Included in the patches are seven important updates for Office, SharePoint, and Windows Server products, which are hitting the usual update channels today.

The first critical bulletin affects versions of Internet Explorer 6 and above on Windows XP, Windows Vista, and Windows 7. It also affects Internet Explorer 10 on Windows 8 and Windows RT-based tablets.

It addresses two separate flaws, one that allows remote code execution -- such as a malware injection -- if an affected user views a specially crafted Web site. This would allow the attacker to access an infected machine at the same user rights level.

Because the attack vector is higher on more Windows-based machines, the first critical flaw affecting Internet Explorer should be first on the agenda.

The second critical bulletin, which affects the Remote Desktop Client, could allow another such malware injection, giving the attacker the same user rights as the logged-in user.

Both patches fixing the two critical vulnerabilities require the machine to be restarted.

Other vulnerabilities rated as "important" could allow data and information disclosure or an elevation of privileges on affected machines.

Five of the other seven flaws relate to Windows, as well as software running on the platform.

MS13-036 fixes three privately disclosed flaws and one publicly disclosed flaw in a Windows kernel-mode driver, which allows an elevation of privileges, but only affects logged-in users. Another flaw in the Windows kernel, MS13-031, also could allow an elevation of privileges if a user is logged in.

Meanwhile MS13-033 patches a flaw in the Windows Client and Server Run-Time Subsystem (CSRSS). Affected software versions include all versions of Windows Server 2003 and 2008 and Windows XP and Vista.

MS13-030 is an important patch that affects SharePoint and could allow unauthorized disclosure of information. MS13-035 fixes a vulnerability in Office that allows an elevation of user privileges from "user" to "administrator" if an attacker sends a malware-ridden file to the user.

Also today's fixes include a bevy of patches for the Surface RT tablet.

This edition of Patch Tuesday comes at a time when Microsoft is warning that Windows XP support is coming to an end in a year's time. Beginning April 8, 2014, the software giant will no longer provide security updates for the aging 12-year-old operating system.

All patches are available through the usual update channels, including Windows and Microsoft Update.

This story originally appeared as "Microsoft fixes two critical Windows, IE security flaws for April's Patch Tuesday" on ZDNet.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
Tech industry's high-flying 2014
Uber's tumultuous ups and downs in 2014 (pictures)
The best and worst quotes of 2014 (pictures)
A roomy range from LG (pictures)
This plain GE range has all of the essentials (pictures)
Sony's 'Interview' heard 'round the world (pictures)