Microsoft's 'Patch Tuesday' Fixes Identify At Least 11 Critical Security Flaws

Microsoft's 'Patch Tuesday' Fixes Identify At Least 11 Critical Security Flaws

Microsoft recently published its Patch Tuesday updates for the month of June.

With this recent and rather shocking list of system flaws, Microsoft shows again that it remains not just a mega-corporation but also a reliable source of protection for users the world over - if only users would listen to their warnings.

Microsoft, like all major program producers, supports their products, at least the ones that have been manufactured and sold in the last several years. This means Microsoft technicians continue to scour the inner workings of these products to ensure that any vulnerabilities are identified and corrected.

This most recent series of updates from Microsoft was particularly interesting as they contained news of some very serious flaws in the company’s products. In all over fifty vulnerabilities, affecting Windows, Edge, MS Office, MS Office Exchange Server, ChakraCore and Adobe Flash Player. Eleven of the flaws were rated “critical” and 39 as “important.”

Three of these vulnerabilities are worth highlighting. The first is a remote code execution flaw contained on the company’s net browser, Internet Explorer (IE). Essentially what this means is the browser encounters difficulty handling certain data objects in its memory. At the time IE is attempting to process this data, it becomes exposed to remote scripting, the ability for an attacker to insert code into the browsers operations, enabling the hacker to wrest control of IE functions. What was disturbing about this particular bug is that Microsoft listed it as “Publicly Disclosed” meaning others had known of the vulnerability before Microsoft did.

The second was a flaw exposed via HTTP, the protocol that forms the basis for communications on the internet. Users with Windows 10 and Windows Server 2016 could potentially expose their machines for hackers to insert malicious code directly on their systems.

The third noteworthy bug, and the most critical of all those exposed by Microsoft, was a remote code execution vulnerability. It was identified in the Windows Domain Name System (DNS) DNSAPI.dll which means it potentially affects all versions of Windows starting from 7 to 10, as well as Windows Server editions. The bug exposes all machines operating those programs to corrupted DNS messages emanating from a server controlled by a hacker. In this way, cybercriminals could then run arbitrary code on a user's computer and order it to execute operations. Considering the number of machines worldwide that use the above operating systems, this is a big deal.

What characterized many if not all of the flaws reported by Microsoft is that the bugs were contained on very commonly used programs. Each one had the potential to unleash serious damage on a very large number of users. Luckily, technicians at Microsoft identified this danger before it was discovered by someone with more nefarious intentions. It serves as a great example of how often a free market has serious incentive to protect itself and comes through for its clientele.  

But the task of maintaining the cybersphere’s safety doesn’t end with the discovery of a potential danger. As recent instances in history have painfully demonstrated - such as the WannaCry epidemic of last year - if the warnings are not heeded by the community of users, all the work of system supporting engineers is ultimately useless.