Microsoft issued eight new security bulletins in its August 2013 Patch Tuesday release, including three "critical"...
fixes to remote code-execution vulnerabilities that attackers could exploit to gain the same user rights as an authorized user.
As noted on the Microsoft Security Response Center blog, the update addresses 23 known vulnerabilities in Microsoft Windows, Internet Explorer and Exchange.
Top among the critical bulletins is a cumulative security update for Internet Explorer, which resolves 11 undisclosed vulnerabilities in Internet Explorer that could enable remote code execution.
The two other critical bulletins also resolve remote code execution vulnerabilities in the Unicode Scripts process in Microsoft Windows and in the Microsoft Exchange Server.
The update's other five "important" security bulletins resolve: a vulnerability in remote procedure call that could allow elevation of privilege if an attacker sends a specially crafted RPC request; vulnerabilities in Windows Kernel that could allow escalation of privilege; vulnerabilities in Windows NAT driver that could allow denial of service; a vulnerability in ICMPv6 that could allow a denial of service if an attacker sends a specially crafted ICMP packet to the target system; and a vulnerability in Active Directory Federation Services that could reveal information pertaining to the service account.
In analyzing the update, Trustwave Spider Labs noted on its blog that the critical fixes "don't get much more critical," and advised its customers to "start scheduling those reboots, because you're going to need them" -- a tongue-in-cheek reference to the fact that nearly all the updates require system reboots.
Microsoft also said on its blog that its new bug bounty programs are, as expected, generating a lot of interest and participation. After eschewing them for years, in June it reversed course and announced a program to compensate researchers who find and share Windows vulnerabilities with the software giant. It's currently running two bounty programs, the Mitigation Bypass Bounty and BlueHat Bonus.