Microsoft fixes ‘critical’ security bugs affecting all versions of Windows
Microsoft patched 46 separate vulnerabilities — the majority of which were the highest “critical” rating.
Microsoft has patched two security vulnerabilities affecting all supported versions of Windows.
The software giant said Tuesday that an attacker could remotely exploit a “critical”-rated remote code execution vulnerability in how Windows Search handles objects in memory, allowing a full takeover of an affected computer.
An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights, said the company in an advisory. The attacker would have to send a specially crafted message to the Windows Search service. An attacker could then elevate privileges and “take control of the computer,” the advisory said.
It added that an unauthenticated attacker in an enterprise setting could remotely trigger the flaw through an SMB connection, which Trend Micro researchers said in a blog post is “pretty close to wormable,” referring to its spreadability.
Every supported version of Windows 7 and all versions of Windows 10, as well as Windows Server systems, are affected by the bug.
Although technical details or a proof-of-concept have not been made public and it is not known to be under active exploitation by an attacker, the company warned that there is a “more likely” chance of a future attack.
Another “critical” remote code execution flaw in the legacy JET database engine could allow an attacker to take full control of a computer.
An attacker would likely have to trick a user into opening a malicious database file from an email, the company said, as part of a spearphishing campaign.
The company said that the privately-disclosed bug was “unlikely” to be exploited.
The software giant released patches for 44 vulnerabilities as part of its regularly scheduled Patch Tuesday set of security fixes. More than half of the vulnerabilities listed are rated “critical.”
August’s patches are available through Windows Update.
Read the original article over at ZDNet.