News

Microsoft's November Security Update Fixes 4 Windows 8 Flaws

• By Chris Paoli
• 11/13/2012

Microsoft's first security update after the release of its newest OS features three "critical" bulletin items that address 4 reported issues for Windows 8 and Windows RT.

While three items that address multiple issues in an operating system that has been on the market for less than a month could be alarming for some users, researcher Andrew Storms, nCircle's security director,  commented that due to the very nature of Microsoft's OS and its popularity, the discovery of multiple vulnerabilities in Windows 8 this quickly should be expected.

"Much of [Windows 8's] core operating system is reused from version to version (even in new releases) and all software has its share of bugs," said Storms in a blog post. "These factors, plus the security researchers that love to find and report bugs in the latest versions of software, are why there are several bulletins for Windows 8. They shouldn't surprise you."

This month's patch Tuesday also arrived with an additional critical Internet Explorer fix, one "important" Office security update and a "moderate" Windows item for a total of six bulletins.

Security experts have pegged the Microsoft Web browser item, bulletin MS 12-071, as the top priority for IT this month. Affecting only Windows Explorer 9, the "cumulative security update" addresses three privately reported issues that could lead to remote code execution attacks if users visit specially crafted, malicious Web sites.

According to Jason Miller, Manager of Research and Development at VMware, any security bulletin that targets issues in Internet Explorer should be applied as soon as possible due to the relative ease of infection.

"Like most browser-based attack scenarios, this vulnerability can be exploiting by visiting malicious website which can result in remote code execution," said Miller in an e-mailed response.

Microsoft has suggested that bulletin MS012-075, a fix for three issues in the Windows Kernel should also be a top priority when patching. The most severe issue could lead to a remote code execution attack if a Web site with malicious TrueType font files is visited. This update is rated critical for all versions of Windows, including Windows 8 and Windows RT (found in Microsoft's Surface tablet and other ARM-based Windows devices).

Bulletin MS012-072, the second of three critical Windows items for November, targets all versions of Windows (excluding Windows RT) and Windows Server.

The two privately reported vulnerabilities addressed in this bulletin "could allow remote code execution if a user browses to a specially crafted briefcase in Windows Explorer," according to Microsoft. "An attacker who successfully exploited the vulnerabilities could run arbitrary code as the current user."

The final critical bulletin (MS012-074) takes care of five .NET Framework vulnerabilities in multiple versions of Windows OS and Windows Server (including Windows 8 and Windows RT). If gone unpatched, malicious code could be inserted into a targeted system if a user is tricked into using a harmful proxy auto configuration file.

Due to the relative difficulty of leveraging such an attack, Wolfgang Kandek, CTO of Qualys, Inc., believes that the number of attacks on unpatched systems should be limited.

"The potential for widespread code execution through this mechanism is limited because .NET applications are turned off by default," said Kandek in a blog post. "As of June 2011, they require user agreement to run."

Items in Microsoft's security updated should only be applied once proper testing has been completed. More information on this month's rollout can be found here.