Patch Tuesday July 2013 Will Patch Issue In Kernel-Mode Drivers Component Of Windows

Microsoft has released advanced notification for the second Tuesday of the month, July 9, 2013, which is the tradition the Redmond software giant follows every month, popularly known as Patch Tuesday. In the advanced notification of July 2013’s Patch Tuesday, seven bulletins, out of which six are classified as Critical by Microsoft and the remaining one is Important.

The six bulletins rated Critical addresses vulnerabilities in Microsoft Windows, .NET Framework, Silverlight, Internet Explorer and GDI+. The single bulletin which is rated Important will address an issue in Microsoft Security Software. All versions of Windows operating system are affected by at least three of the critical vulnerabilities. All versions of Internet Explorer are affected by a critical flaw which will be addressed by one of the fixes.

July 2013 Patch Tuesday (Advance Notification) Details

Tavis Ormandy, an Information Security Engineer, a Google employee, discovered a vulnerability in Microsoft Windows. Full Disclosure is posted to the SecLists mailing list. The vulnerability can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges. The vulnerability is caused due to an error within win32k.sys when processing certain objects. It can be exploited to cause a crash or execute arbitrary code with the kernel privilege. The vulnerability exists in almost all versions of Windows.

Technically, Microsoft is issuing a patch to address CVE-2013-3660, which is a publicly known issue in the Kernel-Mode Drivers component of Windows. The EPATHOBJ::pprFlattenRec function in win32k.sys in all versions of Microsoft Windows does not properly initialize a pointer for the next object in a certain list, which allows local users to get write access to the PATHRECORD chain, and so gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls.

As usual, the bulletin release is scheduled for the second Tuesday of the month, July 9, 2013, at about 10:00 a.m. PDT. Microsoft will also host a webcast on July 10, 2013, at 11:00 AM Pacific Time (US & Canada) to address questions on the security bulletins.
Check back this blog again for more details and deployment guidance of Patch Tuesday of July 2013, as soon as Microsoft releases them.

You may also like...