Microsoft released five critical security bulletins, fixing coding errors in Internet Explorer (IE) and Microsoft Word. The IE flaw is present in all iterations of the browser, however, they are not being exploited in the wild and for the versions before IE 9, the update is a defense-in-depth change only.
Patching experts say the IE vulnerabilities, addressed in MS12-077, should be some of the first that companies address. The security update is critical for IE 9 and 10, and has no severity rating for IE 6, 7 and 8. The most severe vulnerabilities could allow remote code execution. A successful attacker could gain the same rights as the current user. Paul Henry, security and forensic analyst at Lumension Security Inc., in Scottsdale, Ariz., said the popularity of IE makes this patch an important one for businesses.
MS12-079 is another critical bulletin that should be a high priority for businesses. This bulletin patches a vulnerability in Microsoft Word that could allow remote code execution if a user opens a specially crafted Rich Text Format (RTF) file using a flawed version of Microsoft Office software, or previews or opens a specially crafted RTF email message in Outlook while using Microsoft Word as the email viewer.
Microsoft Patch Tuesday
November 2012 Patch Tuesday includes Windows 8 patch: Microsoft repaired critical remote code execution vulnerabilities in Internet Explorer and the Windows Kernel.
October 2012 Patch Tuesday: Microsoft addresses critical Word flaws.
RSA key length change should be priority in September 2012 Patch Tuesday
Amol Sarwate, director of vulnerability research at Redwood City, Calif.-based Qualys Inc., said Word vulnerabilities are usually only rated Important, however, Microsoft made it a critical update because Word is the default preview method for email attachments in Outlook.
MS12-079 affects Microsoft Word 2003, 2007 and 2010, and all supported versions of Microsoft Word Viewer, Microsoft Office Compatibility Pack, and Microsoft Office Web Apps. It may require a restart.
MS12-078 is a critical security bulletin that requires a restart. It fixes vulnerabilities in Windows Kernel-Mod Drivers that could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType or OpenType font files. The vulnerabilities affect all supported releases of Microsoft Windows.
MS12-080 may require a restart to fix vulnerabilities in Microsoft Exchange Server 2007 and 2010, with the most extreme in Microsoft Exchange Server WebReady Document Viewing. Theses vulnerabilities could allow remote code execution if a user previews a specially crafted file using Outlook Web App. Businesses using Exchange should pay attention to this bulletin, said Wolfgang Kandek, CTO at Qualys.
The final critical bulletin is MS12-081, which addresses a vulnerability in Windows File Handling Component that could allow remote code execution. It requires a restart. The affected software are Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
The two important bulletins, MS12-082 and MS12-083, require a restart. MS12-082 fixes a vulnerability in DirectPlay that could allow remote code execution. The vulnerability is present in all supported version of Microsoft Windows except Windows RT. MS12-083 fixes a vulnerability in IP-HTTPS that could allow security feature bypass. It impacts all supported editions of Windows Server 2008 R2 and Windows Server 2012.
Microsoft also released an update to Security Advisory 2755801, which fixes vulnerabilities in Adobe Flash Player in IE 10. The advisory is in conjunction with a critical update to Flash Player issued today by Adobe.
Microsoft bulletins decline in 2012
Microsoft said its last Patch Tuesday of 2012 marks a year with an overall decline in security bulletins, something Lumension's Henry attributes to Microsoft's secure coding initiative.
"Most of the updates [this year] have been with legacy code," Henry said.
There were 83 bulletins in 2012, 100 in 2011 and 106 in 2010. Henry also pointed out that the number of patches each month has evened out. This year, every month except September had 6-9 bulletins. In contrast, 2011 saw the totals go up and down on a monthly basis. This turn to greater consistency has helped IT teams better prepare for Patch Tuesday.