Microsoft pushes 23 fixes, includes patch for Exchange server, urges migration from Windows XP soon Microsoft has released their monthly security offerings, pushing fixes for 23 vulnerabilities. Of the eight bulletins released this month, Redmond is focused on two of them in particular, as they address flaws in Internet Explorer and the Windows XP.Microsoft says that customers should focus on deploying MS013-059 as soon as possible, as the bulletin fixes eleven vulnerabilities in Internet Explorer, which impact versions 6 to 10, including Windows RT. When it comes to the odds of these flaws being exploited, Microsoft ranked them on the Exploitability Index as “1” — meaning the software giant fully expects these to be targeted within 30-days if not sooner. It should also be noted that this bulletin contains a patch to fix the vulnerability used for the Pwn2Own contest earlier this year.The second bulletin Microsoft is worried about is MS13-060. This bulletin addresses a single flaw within the Windows operating system, centered on the Unicode Scripts Processor. If targeted, an attacker would be able to remotely execute code, simply by having a user visit a malicious webpage or document that supports embedded OpenType fonts. But there’s a catch:“MS13-060 addresses a font vulnerability in the Bangali font, part of the Indic language pack. [It] can only be exploited in Windows XP [and Server 2003], so your organization might escape this patch if the language pack is not installed or if you are not running on XP anymore,” explains Wolfgang Kandek, Qualys’ CTO. “If you are still running on XP and our stats indicate that over 13 percent of you are still on Windows XP, it is time to implement a migration plan to a newer operating system; after all, Windows XP loses its support in April of next year. It will then stop receiving security updates and will quickly deteriorate into an easy target for even inexperienced attackers.”Another patch released this month that will see some attention addresses a flaw in Microsoft Exchange. MS13-061 isn’t really something to worry about however, as the fix addresses something patched by Oracle some time ago. The vulnerability Microsoft squashed is found in the third-party library Outside In, all Microsoft has done this month is incorporate Oracle’s patches. For the technical aspect of the flaw, MS13-061 is triggered when a user opens a malicious message in Outlook Web Access (OWA). Microsoft notes that this is a publicly disclosed issue, but most experts don’t see it as a serious threat. Related content news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability Vulnerabilities Security brandpost The advantages and risks of large language models in the cloud Understanding the pros and cons of LLMs in the cloud is a step closer to optimized efficiency—but be mindful of security concerns along the way. By Daniel Prizmant, Senior Principal Researcher at Palo Alto Networks Oct 03, 2023 5 mins Cloud Security news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Vulnerabilities news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe