News Stay informed about the latest enterprise technology news and product updates.

Microsoft addresses TrueType, Windows vulnerabilities

On Patch Tuesday, Microsoft addressed a number of critical flaws in font parsing and vulnerabilities in Windows Server 2008 R2.

Coming off a light June, administrators have a busy month ahead of them with patches touching just about every version of Windows and Windows Server. But the focus will be on the workstation.

The updates in July's Patch Tuesday address a total of 34 vulnerabilities. All six critical bulletins include fixes for remote code execution vulnerabilities.

The most critical bulletin includes fixes for eight vulnerabilities in Windows kernel-mode drivers. The vulnerabilities can be exploited if users read certain content with TrueType font. It is one of three critical bulletins that include fixes for TrueType font vulnerabilities. TrueType fonts are handled in three different places: Silverlight, graphic rendering and the Windows kernel.

By exploiting TrueType on a system level -- via the kernel -- attackers can obtain system administrator privileges, said Wolfgang Kandek, CTO at Qualys Inc., an IT security firm based in Redwood Shores, Calif.

Another critical bulletin fixes 17 reported Internet Explorer (IE) vulnerabilities. Attackers can take advantage of these vulnerabilities and gain users' rights if users view certain webpages with IE.

"Browsers continue to be the focus for the security researchers," said Kandek, and "the ones who want to take over the machines."

This is the second month in a row with fixes for a high number of IE vulnerabilities. In June, the Patch Tuesday updates included fixes for 19 IE vulnerabilities.

Kandek speculated the security bounty program Microsoft introduced late last month could play a role in fixes found in the future, but it's unlikely any fixes made its way into this Patch Tuesday.

While IE 11 is better and more secure, "there continue to be ways to exploit it, and ways to make it do an attacker's bidding," said Kandek.

There are also critical fixes for vulnerabilities found in Microsoft DirectShow and Windows Media format, which can be exploited if users open specific image or media files.

Other critical bulletins address vulnerabilities in .NET Framework and Silverlight if applications use a certain line of code designed to gain users' rights.

July's lone important bulletin fixes an elevation of privilege vulnerability found in paths in Windows Defender on Windows 7 and Windows Server 2008 R2.

This month's Patch Tuesday updates follow the year's trend of an increase in monthly fixes. July's fixes bring the yearly total up to 58 bulletins, up from 51 at the same time last year.

Assistant Site Editor Toni Boger contributed to this report.

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.