CIO

Microsoft releases 14 patches for Windows security problems

It's the largest number of patches issued in a single day so far in 2013 and 2014

Microsoft has released patches for 14 vulnerabilities in its Windows operating system, Office and Internet Explorer software, including four it deemed critical, it's highest severity rating.

All four of the critical bugs could allow attackers to remotely execute programs on a targeted system, something that in the past has allowed hackers to steal personal information such as passwords or take over machines for the purpose of sending spam.

The patches were released as part of the company's monthly "patch Tuesday" security update for its major software products. The company had originally planned to deliver 16 updates Tuesday, but two are marked as yet to appear. They include one that was expected to carry a critical rating.

At 14, the number of patches is a monthly record for 2013 and 2014.

They include a problem with Windows Object Linking and Embedding that could allow remote code execution if the user visits a website containing malicious code. If the user is logged in as the administrator, the attacker could gain the ability to install programs and change and delete data. A related patch for Internet Explorer fixes the vulnerability with malicious websites and 16 other problems with the software, said Microsoft.

A security update for the Microsoft Secure Channel software in Windows fixes a problem that leaves Windows Server vulnerable to attack from specially crafted packets. The fourth critical patch fixes a hole in Windows that allows attackers to invoke Microsoft XML Core Services from a malicious website and then remotely execute code on a target system.

A further seven patches are marked as important -- the second highest rank.

One vulnerability in Microsoft Office allows for remote execution of code, four additional problems allow attackers to assign themselves higher privileges and two allow bypass of certain security features in Windows.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com