Patch Tuesday addresses remote code flaws in HTTP and Internet Explorer

Microsoft issues updates to address remote code execution vulnerabilities in HTTP and Internet Explorer in its Patch Tuesday security advice

Microsoft updated four critical flaws that could have left users vulnerable to attacks using remote code execution in a lighter-than-average Patch Tuesday.

The critical updates centre on vulnerabilities in HTTP.sys, Internet Explorer, Microsoft Office and Microsoft Graphics component.

The HTTP.sys patch will resolve a flaw in Windows that could allow remote code execution if an attacker sends a specifically crafted HTTP request to an affected system, said Microsoft. The vulnerability is understood to affect all versions of Microsoft Server from 2008 onwards.

In Internet Explorer, the vulnerability would come to light should a user view a specially crafted webpage using the browser, which may give a successful attacker the same user rights as the original user. Microsoft warned those operating with administration privileges would be particularly at risk.

Read more about Patch Tuesday

Remote code execution vulnerability

In Microsoft Office, a specially crafted Office file could allow remote code execution that would enable an attacker to run arbitrary code in the context of the current user. Again, Microsoft said users with admin rights would be most vulnerable to the exploit.

The fourth and final critical patch addresses a vulnerability in Windows that could allow remote code execution, should a user browse to a website, open a file or browse to a working directory containing an Enhanced Metafile (EMF) image an attacker had compromised.

Three further patches address flaws in Sharepoint Server, Task Scheduler and Windows that could allow attackers to compromise user accounts and make changes, including installing new programmes, injecting malicious content or even creating new user accounts.

Two more will address information disclosure flaws in Active Directory Federation Services and the .NET Framework; and two final patches fix a vulnerability in Windows Hyper-V that could allow denial of service, and a vulnerability in XML Core Services that could allow a security feature bypass.

Read more on Hackers and cybercrime prevention