News Stay informed about the latest enterprise technology news and product updates.

Microsoft patches MSXML, IE, hardens Windows Update

July's Patch Tuesday update fixes vulnerabilities in IE and MSXML. Plus, Microsoft hardened Windows Update certificates.

Fixes in Internet Explorer and XML and forthcoming changes to Microsoft's Windows Update mechanism are among the highlights of this month's Patch Tuesday.

The Microsoft XML bulletin, one of nine for July and one of three critical bulletins, should be a point of emphasis for admins, said Jason Miller, a member of Shavlik's patch patrol team.

Previously, Microsoft released a "Fix it for Me" hotfix to repair the zero-day vulnerability that allowed for remote code execution. Miller also noted that users with XML 5.0 are still vulnerable, as Microsoft continues to test a patch.

Microsoft also released an Internet Explorer (IE) security update for the second consecutive month. Typically, the company sticks to an every-other-month pattern for security rollups.

Google Chrome and Mozilla Firefox have a higher frequency of security updates, Miller noted. Microsoft hasn't indicated whether or not it will release a security update for Internet Explorer in August.

Last month, the company patched 13 vulnerabilities in IE.

In a security advisory, Microsoft said it released changes to how Windows Update accepts and rejects digital certificates. First, Microsoft reviewed its own digital certificates and said they don't meet security standards and moved them into the "untrusted" state, meaning they won't validate.

Plus, Windows machines will not validate security certificates with RSA keys with less than 1024 bits. The new prohibition on substandard RSA keys means the 1024-bit keys will be "harder to crack," Miller said.

The company said in a blog post that it treats the bulletin as a critical non-security update for Windows machines.

Microsoft's move is a response to the threat landscape, as attackers "were able to get past certificates," Miller said.

The company also took initial steps last month to harden Windows Server Update Services (WSUS) and Windows Update as a response to the Flame malware.

The company released bulletins for SharePoint and patches for Virtual Basic and the Office suite, the latter labeled as important patches. SharePoint is at minimal threat as an attacker would "need to know something about the network" to take advantage of an exploit, Miller said.

Finally, as part of its transition to Windows 8, Microsoft offers a tool that expunges Windows Vista and Windows 7 gadgets from the OS.

Dig Deeper on Legacy operating systems

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Virtual Basic? really?