Microsoft Delivers Two Critical Fixes On First 2013 Patch Tuesday

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Security teams given a busy start to 2013, with a host of serious issues to deal with

The first Patch Tuesday of 2013 includes two critical bulletins and another five issues for IT teams to address.

One of the two critical Patch Tuesday bulletins affects all currently supported versions of Windows from XP SP3 onwards, as well as some Windows Server iterations. It could allow hackers to gain full control over Windows-based systems.

Security experts said the flaw appears to reside in one of the base libraries of Windows, meaning it has a wide impact.

The other critical vulnerability affects Windows 7 and Server 2008, but can result in remote code execution too.

Patch Tuesday misses IE zero-day fix

Microsoft won’t be patching a critical flaw in Internet Explorer that has been used by hackers in drive-by exploits, where users are attacked as soon as they visit a malicious webpage. But it has offered a workaround and IT teams have been advised to implement it as quickly as possible.

“While it affects Internet Explorer 6, 7 and 8, Microsoft is only aware of working exploits for IE8. They have published a workaround for the issue as a Fix-It and we recommend that organisations evaluate that until Microsoft provides a permanent patch for Internet Explorer itself,” said Wolfgang Kandek, CTO of security firm Qualys.

Microsoft is also one of a number of major browser vendors to have warned about a fraudulent certificate for Google services, which a Turkish government agency has been accused of creating. Google, Microsoft and Mozilla have all removed the relevant certificates from their trusted lists, and have told people to watch out for any suspicious activity.

The certificate authority that accidentally handed out the certificate in 2011, TURKTRUST, said all the evidence indicated it had not been used for surreptitious purposes.

How well do you know Internet security? Try our quiz and find out!