Microsoft's December Security Update Brings Yearly Bulletin Total to 83

December's security update arrived today with five "critical" bulletins and two "important" items that affect all versions of Windows, including its newest Windows 8 and Windows RT.

Today's seven-bulletin total brings the number of security bulletins issued by Microsoft in 2012 to 83.

IT pros are advised to prioritize bulletin MS12-077 as the top concern this month as it addresses three privately reported flaws in Internet Explorer. According to Microsoft, the most severe flaw, a "use-after-free" bug, could lead to a remote code execution  (RCE) attack if a specially crafted Web site is opened with the Microsoft browser.

Kurt Baumgartner, a security researcher with Kaspersky Lab, says that "use-after-free" vulnerabilities, which allow an attacker to execute code or crash a system through an unmapped memory allocation, have been growing in popularity among hackers.

"This 'use-after-free' category of bugs is continuing to prove very difficult to stamp out, even in meaty, prevalent attack vectors like Internet Explorer," said Baumgartner in an e-mailed comment. "It was this sort of vulnerability that was abused in the 2010 Aurora cyber-espionage attacks on Google, Adobe, and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark."

Microsoft suggests that bulletin MS012-079, an RCE fix for two Microsoft Office vulnerabilities, should be prioritized second. Specifically, this bulletin addresses problems in Word that could arise if a malicious Rich Text Format (RTF) document is opened in Microsoft Office 2003, 2007 or 2010.

While this fix is rated critical, Microsoft has said that no attack vectors have been developed using the flaws. However, due to the ease of entry into a targeted machine if an attack were to be created and executed (simply clicking on a sent file from Outlook would automatically open it in Word), the bulletin was designated with the highest level of severity by Microsoft.

According to Microsoft's Bulletin Deployment Priority graph, the final three critical items can be tackled in any order after the first two bulletins have been applied. They include:

  • Bulletin MS12-078, which addresses two RCE vulnerabilities in Windows kernel-mode drivers that could be exploited when a specially crafted TrueType or OpenType font file is executed from a malicious Web site.
  • Bulletin MS12-080 fixes multiple holes in Microsoft Exchange Server 2007 and 2010. According to Microsoft's bulletin summary, the flaw could lead to an RCE attack if a harmful document were previewed using the Outlook Web App (OWA).
  • Bulletin MS12-081, the final critical item of the month, blocks an attacker from gaining access to a targeted machine by exploiting a privately reported vulnerability in how Windows locates and displays file folders.

Microsoft's December patch also included two items rated important. The first, bulletin MS12-082, takes care of an RCE flaw in Microsoft's DirectX API, and the second, bulletin MS12-083, addresses a certificate flaw in Windows Server 2008 R2 and Windows Server 2012.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.