Critical security holes found in Microsoft software. Patches coming… • Graham Cluley

Microsoft says it will be issuing seven security updates, including six that the firm classifies as “critical”, on Tuesday 9 July.

In an advance notification, Microsoft explained that the security updates would tackle remote code execution vulnerabilities in Internet Explorer, Lync, Visual Studio, MS Office, SilverLight and the .NET framework.

The risk is that if your computer isn’t properly protected against the vulnerabilities, malicious hackers could exploit them to install malware onto your computer and effectively (please excuse the leetspeek) “pwn” it.

Other patches expected in the latest “Patch Tuesday” bundle, include important fixes for Microsoft’s Windows Defender security software.

Sign up to our free newsletter.
Security news, advice, and tips.

Amongst the critical vulnerabilities expected to be fixed is a zero-day vulnerability discovered in Microsoft’s kernel code by Google security engineer Tavis Ormandy.

Ormandy controversially published details of the vulnerability, and later published a working exploit, rather than responsibly disclosing details to Microsoft.

Of course, Tavis Ormandy doesn’t believe he was acting irresponsibly. His argument is that users can better protect themselves if information about vulnerabilities, and how to exploit them, is available for all – whether cybercriminal, office worker, or elderly Great Aunt Agatha – to read on the internet.

Others, like me, believe that security researchers should engage responsibly with software firms to get problems fixed before revealing details of how they can be exploited. The antics of some researchers always leave me with the impression that they are more interested in showing the world how clever they are – rather than doing what’s right for the majority of internet users.

Take, as a model of vulnerability disclosure done right, the recent huge security problem discovered in Facebook which could have meant that cybercriminals could hack any Facebook account just by sending an SMS text message.

The British researcher “fin1te” (real name Jack Whitten) who found that security hole could have gone public about the flaw, and potentially made a big name for himself.

But instead he acted responsibly. He told Facebook about the flaw, and nobody else. Facebook acted quickly to seal the security hole, and a billion Facebook users were protected from potentially having their accounts hijacked.

Yes, Whitten received a $20,000 reward for bringing the flaw to Facebook’s attention – but he could have potentially made a great deal more if he had sold details of the flaw to identity thieves.

More security researchers should act responsibly like Whitten, rather than potentially putting Great Aunt Agathas at risk.

Microsoft likes to give advance warning of the security patches it plans to issue, so IT teams can ready themselves and ensure that they have the right resources to roll them out across networks of computers promptly.

But if you are personally responsible for the security of your computer, you might find it easier to check that you have automatic updates enabled.

Graham Cluley

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.