Microsoft Readying 3 Security Updates for Windows 8 -- Redmondmag.com

Microsoft Readying 3 Security Updates for Windows 8

By Chris Paoli
11/08/2012

According to Microsoft's security update advance notification for November, there will be four "critical," one "important" and one "moderate" bulletin items released this coming Tuesday.

The four critical items will target flaws in Microsoft Windows, Windows Server, Internet Explorer and Microsoft .NET Framework.

Less than two weeks after the release of Windows 8 and RT, remote code execution (RCE) issues in both products will be addressed in three of the four critical updates.

Bulletin one, a critical update for Internet Explorer, and bulletin 5, a critical fix for multiple Windows products (including Windows 8) should be the top priority for IT, according to Paul Henry, security and forensic analyst for Lumension.

"Bulletin 5 is an interesting one, because it's a true type font issue. It resolves three vulnerabilities, the worst of which is a remote code execution," said Henry in an e-mailed response. "Microsoft has been dealing with font issues for a while. True Type Fonts can be embedded all over the place and Windows kernel mode driver renders the font. If these fonts are embedded in a browser or a Word document, for example, it's rendered in the kernel mode driver and winds up becoming a kernel mode exploit. An authenticated, low-rights user could visit a website, the font gets rendered, and it gets rendered as 'system.' This is a very effective attack mode, so Microsoft likes to close out font issues quickly. This is as high a priority as Bulletin 1. Those two bulletins will be the two biggest attack vectors in this batch."

Rounding out the projected bulletin items for the month is an important RCE fix for Microsoft Office and a rare moderate (second-lowest severity rating) information disclosure fix for Windows.

In other Microsoft security update news, Adobe announced this week that it will be realigning future security fixes for its Flash player to coincide with Microsoft's releases (scheduled for every second Tuesday of the month). This is seen to help provide timely security updates for Internet Explorer 10 running on Windows, which has Flash integrated into the Microsoft Web browser for the first time in the product's history.

Specific details on the six bulletin items will be available once the security update is released.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.