The December 11 “Patch Tuesday” release from Microsoft will include seven updates that fix eleven vulnerabilities in Internet Explorer 10 (IE10), Word, Windows 8, Windows RT, Exchange and other Microsoft software. Five of the seven updates are labeled “critical.”
Infosecurity reported, “Critical Bulletins 1 and 4, both remotely executable, are worth noting. The first involves Internet Explorer and affects all versions from IE6 to IE10, including the Windows RT version on the new Surface tablet. ‘This makes it the second patch in as many months for Microsoft’s new gadget,’ notes Trustwave’s Ziv Mador.”
CRN’s Ken Presti observed:
Microsoft (NSDQ:MSFT)’s Patch Tuesday software updates will require system reboots just as IT administrators and channel partners are the most nervous about anything that might potentially cause service interruptions.
Furthermore, many of the current vulnerabilities expose the full history of Windows operating systems, leading Alex Horan, senior product manager at CORE Security, to describe this Patch Tuesday as a “Christmas present for the bad guys.”
“Cybercriminals are very happy when they can launch one attack across multiple OSes,” he said. “This Patch Tuesday has vulnerabilities that are repeated across the entire Microsoft family and affects the core of the OS. So the bad guys can write one exploit and basically attack every Windows machine out there. To write one piece of code and have it work against everything is just Nirvana.”
V3.co.uk also quoted Horan, who added, “Wowser, a critical vulnerability in Exchange 2007 SP3 and 2010 SP1 & 2 – internet facing servers with remote code execution vulnerability, and email servers. You don’t just randomly turn off email serves without generating howls of protest from your company to fix this one. This is my number one vulnerability in the bunch.”
According to NetworkWorld’s Tim Greene, “A flaw in Microsoft Word ranks among the top security problems addressed by December’s Patch Tuesday fixes, closing a hole that allows remotely executing malicious code on targeted machines regardless of whether users open the infected file. The bulletin is one of five marked critical by Microsoft in its advanced notification about vulnerabilities this month, and several security experts say the Word vulnerability is the top priority.”