Connect with us

Hi, what are you looking for?



Microsoft Closes Nearly 50 Security Gaps in Patch Tuesday Update

Microsoft patched 47 security vulnerabilities across its product portfolio today as part of a massive Patch Tuesday update.

Microsoft patched 47 security vulnerabilities across its product portfolio today as part of a massive Patch Tuesday update.

The fixes are spread across 13 bulletins – four of which are rated ‘critical.’ The others are classified as ‘Important.’ According to Microsoft, the first bulletins organizations should prioritize are MS13-067 – which deals with vulnerabilities in SharePoint Server – and MS13-068, which impacts Microsoft Outlook.

“This update for SharePoint Servers also addresses 10 issues, but here, only CVE-2013-1330 is Critical,” explained Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “While CVE-2013-3180, an Important-rated issue, was publicly disclosed, we have not detected any active attacks involving any of these issues. For the one Critical CVE here, an attacker could send specially crafted content to an affected server. After a failure to properly validate the input, the attacker could then execute code on the system in the context of the W3WP service account.”

The CVE-2013-1330 does not affect SharePoint Server 2013, he added.

MS13-068, which fixes a critical vulnerability in Outlook 2007 and 2010, could allow an attacker to execute code in the context of the current user, explained BeyondTrust CTO Marc Maiffret.

“Attackers can exploit this by crafting malicious S/MIME messages and sending them to target users,” he said. “When the user opens the malicious message, the vulnerability will be exploited, causing the user’s system to be compromised and the attacker’s code to run in the context of the current user. Because of this attack vector, it is very important that this patch be rolled out as soon as possible.”

While MS13-068 and MS13-067 may be high on the prioritization list, organizations should also pay close attention to MS13-069, a cumulative update for Internet Explorer rated critical that closes 10 security holes across all supported versions of the browser.

Advertisement. Scroll to continue reading.

The final critical bulletin is MS13-070, a Windows vulnerability that could allow an attacker to execute code remotely if a user opens a file containing a specially-crafted OLE object.

The remaining bulletins affect Windows and Microsoft Office. Though Microsoft stated last week it was planning to release 14 bulletins today, the company told SecurityWeek that one was pulled for further testing.  

“IE, Sharepoint and Outlook are hardest hit this month, and vulnerabilities in XP and Windows 2003 were also patched…something we hopefully will see more of as the XP end of life date of April 8, 2014 nears,” noted Paul Henry, security and forensic analyst at Lumension. “[Windows] 2003 follows that 15 months later with its own EOL date of July 14, 2015. For anyone using XP, a migration plan must be put in place if you don’t already have one.”

In addition to the Microsoft patches, Adobe issued security updates for Flash Player, Adobe Reader and Adobe Shockwave Player as well. None of the vulnerabilities is known to be under attack, according to the company. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.