July’s security updates target vulnerabilities in Windows Journal, DirectShow, On-Screen Keyboard and other supporting components.
But the bulk of July updates, once again, consists of nonsecurity fixes for all current versions of Office and their associated applications.
The ongoing battle to protect our browsers
July’s Internet Explorer patch fixes 24 newly disclosed vulnerabilities in Microsoft’s browser. Given the large number of new IE security flaws discovered each month, one has to wonder whether IE was really poorly written or there are more really talented hackers poking at the code. KB 2962872 is rated critical for all current workstation installations of IE (Version 6 and up).
All but one of the newly revealed vulnerabilities were privately reported, meaning they were most likely found by security researchers and reported to Microsoft — i.e., not already “in the wild.” The majority of the flaws could result in exploits using IE memory corruption, but one vulnerability might allow attackers to bypass IE’s Extended Validation Certificate security feature. As usual, the most severe exploits could allow attackers to take remote control of your PC.
Note: XP users won’t receive this update — once again illustrating that using IE with Windows XP is increasingly dangerous.
Another Patch Tuesday chore is adding the latest Adobe Flash Player update. For July, Adobe has released Flash 18.104.22.168 for Windows and Mac, and Version 22.214.171.1244 for Linux, as noted in Adobe’s July 8 security bulletin. Flash Player is updated automatically in Chrome, IE 10, and IE 11.
As an aside to the regular update process, Google announced that unauthorized digital certificates for several Google domains had been issued by the National Informatics Centre of India, which is trusted by India CCA. As noted in the announcement, India CCA certificates are “included in the Microsoft Root Store [more info] and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn’t include these certificates.”