Microsoft Readying 3 Security Updates for Windows 8
According to Microsoft's security update advance notification for November, there will be four "critical," one "important" and one "moderate" bulletin items released this coming Tuesday.
The four critical items will target flaws in Microsoft Windows, Windows Server, Internet Explorer and Microsoft .NET Framework.
Less than two weeks after the release of Windows 8 and RT, remote code execution (RCE) issues in both products will be addressed in three of the four critical updates.
Bulletin one, a critical update for Internet Explorer, and bulletin 5, a critical fix for multiple Windows products (including Windows 8) should be the top priority for IT, according to Paul Henry, security and forensic analyst for Lumension.
"Bulletin 5 is an interesting one, because it's a true type font issue. It resolves three vulnerabilities, the worst of which is a remote code execution," said Henry in an e-mailed response. "Microsoft has been dealing with font issues for a while. True Type Fonts can be embedded all over the place and Windows kernel mode driver renders the font. If these fonts are embedded in a browser or a Word document, for example, it's rendered in the kernel mode driver and winds up becoming a kernel mode exploit. An authenticated, low-rights user could visit a website, the font gets rendered, and it gets rendered as 'system.' This is a very effective attack mode, so Microsoft likes to close out font issues quickly. This is as high a priority as Bulletin 1. Those two bulletins will be the two biggest attack vectors in this batch."
Rounding out the projected bulletin items for the month is an important RCE fix for Microsoft Office and a rare moderate (second-lowest severity rating) information disclosure fix for Windows.
In other Microsoft security update news, Adobe announced this week that it will be realigning future security fixes for its Flash player to coincide with Microsoft's releases (scheduled for every second Tuesday of the month). This is seen to help provide timely security updates for Internet Explorer 10 running on Windows, which has Flash integrated into the Microsoft Web browser for the first time in the product's history.
Specific details on the six bulletin items will be available once the security update is released.