Microsoft releases security mega patch - and a fix for a zero-day exploit

Twenty-six Windows security flaws to patch on 'super Tuesday'

Microsoft's latest set of monthly patch releases includes a stopgap fix for a newly-discovered flaw that attackers are actively exploiting.

In addition, three critical software fixes have been rushed out to prevent attackers from exploiting flaws that enable them to take control of a system without user intervention. And it has also released a stopgap fix for a vulnerability uncovered by rival Google.

The patch plugs at least 26 separate security holes in Microsoft's Windows operating systems, affecting vulnerabilities in Windows, Internet Explorer, Dynamics AX, Microsoft Lync (Microsoft's enterprise instant message software), and the Microsoft .NET Framework, according to security specialist Brian Krebs.

The first of the updates resolves a vulnerability in the Remote Desktop Protocol (RDP) on Microsoft Windows. Microsoft said that the vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.

The bulletin said that the second and most severe of the 13 vulnerabilities patched in the critical update affects Internet Explorer. It could enable remote code execution if a user views a specially crafted webpage with the exploit built-in.

According to the bulletin, "an attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user". In other words, they could take control of the host system.

The final critical update is in the .NET Framework, which has a crucial vulnerability that could enable remote code execution on a client system if a user views a specially crafted webpage using a browser capable of running XAML Browser Applications (XBAPS).

The company gave an example of such a scenario in the bulletin.

"An attacker could host a website that contains a web page that is used to exploit this vulnerability," it said. "In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability."

It added: "In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or instant messenger message that takes users to the attacker's website."

In another Microsoft security update, the firm acknowledged a vulnerability in Microsoft XML Core Services that had been discovered by Google.

In a blog, Google said that the vulnerability was being "actively exploited in the wild for targeted attacks".

"These attacks are being distributed both via malicious web pages intended for Internet Explorer users and through [Microsoft] Office documents. Users running Windows XP up to and including Windows 7 are known to be vulnerable," it added.

Microsoft said that the vulnerability exists when XML "attempts to access an object in memory that has not been initialised, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on users".

The company has since worked with Google and advises users to install a ‘FixIt' tool that will help prevent the exploitation of this vulnerability while it explores how it can provide broader protection to users.