Microsoft has released advanced notification for the second Tuesday of the month, July 9, 2013, which is the tradition the Redmond software giant follows every month, popularly known as Patch Tuesday. In the advanced notification of July 2013’s Patch Tuesday, seven bulletins, out of which six are classified as Critical by Microsoft and the remaining one is Important.
The six bulletins rated Critical addresses vulnerabilities in Microsoft Windows, .NET Framework, Silverlight, Internet Explorer and GDI+. The single bulletin which is rated Important will address an issue in Microsoft Security Software. All versions of Windows operating system are affected by at least three of the critical vulnerabilities. All versions of Internet Explorer are affected by a critical flaw which will be addressed by one of the fixes.
July 2013 Patch Tuesday (Advance Notification) Details
Tavis Ormandy, an Information Security Engineer, a Google employee, discovered a vulnerability in Microsoft Windows. Full Disclosure is posted to the SecLists mailing list. The vulnerability can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges. The vulnerability is caused due to an error within
win32k.sys when processing certain objects. It can be exploited to cause a crash or execute arbitrary code with the kernel privilege. The vulnerability exists in almost all versions of Windows.
Technically, Microsoft is issuing a patch to address CVE-2013-3660, which is a publicly known issue in the Kernel-Mode Drivers component of Windows. The
EPATHOBJ::pprFlattenRec function in
win32k.sys in all versions of Microsoft Windows does not properly initialize a pointer for the next object in a certain list, which allows local users to get write access to the
PATHRECORD chain, and so gain privileges, by triggering excessive consumption of paged memory and then making many
FlattenPath function calls.