Microsoft Patch Tuesday's Highest Priority: IE94:58 PM EST Tue. Nov. 13, 2012
Microsoft has released its list of patches for the month of November, as the vendor always does on the second Tuesday of the month. The current edition includes six bulletins, four of which are rated as critical.
This month's tally brings the total number of patches for the year to 76. Wolfgang Kandek, CTO of Qualys, predicts that the total number for 2012 will be well below 100. This would represent fewer patches for this year then were issued in 2010 and 2011.
"The most important update is probably the one for Internet Explorer, but it's only Internet Explorer 9," he said. "If you use this browser, you need to apply the patch immediately, but our statistics show that not too many people in the enterprise are currently using Internet Explorer 9. Last time we looked was in August, and it was only used by about 10 percent of our customers."
According to Microsoft, there are no active exploits associated with the bug, yet it is important to get patched as soon as possible because the issuance of the patch will raise awareness among cyber criminals.
"It's like a broken record," said Jason Miller, manager of research and development at VMware. "Every time you see a browser update, you want to get to it right away. This one only impacts Internet Explorer 9, but as is the case with any browser, you want to get it updated as soon as possible.
Meanwhile, Kandek rates the patch for Excel as the second most important vulnerability on the list. "This is mostly because pretty much everyone has it installed." The vulnerability is only marked as "important" by Microsoft.
"I think it's only listed as important because it requires a number of steps on the part of the end user before the vulnerability becomes exploitable," said Paul Henry, security and forensic analyst at Lumension. "But if you're using Excel, it makes sense to put that in the queue once you've taken care of these larger vulnerabilities."
NEXT: TrueType Font Exposure
After the IE9 patch, Lumension's Henry points to a TrueType font issue as the second most important item on the list. "There are three vulnerabilities here, the worst of which is a remote code execution," he said. "The problem is that this exploit renders at the kernel level. So if the bad guy can get that, particularly TrueType Font, and build it into an exploit, he can get root. So this is absolutely a high priority because it could be remote code executable."
"There is also a theoretical possibility that one can exploit this through third-party browsers or other third-party software," added Andrew Storms, director of security operations at nCircle.
Another patch is tied to Briefcase, a program that is no longer in wide use. "If you are using Briefcase, this should definitely be a concern," said Henry. "It's both ugly and critical, and it affects XP all the way through Windows 7. Briefcase allows you to sync files across your laptop and your desktop. But if you've mapped to a vulnerable or malicious briefcase, remote code could execute on the machine from which you have mapped."
"The briefcase vulnerability is very difficult to execute," said Miller. "It's going to be a man-in-the-middle attack. They need to get somewhere on your network in order to gain access to this. But, Briefcase is not all that common anymore."
Other patches for November include protections against remote code executions in Windows Shell and .Net, as well as a fix to a potential information disclosure breach in Microsoft Internet Information Service (IIS).
PUBLISHED NOV. 13, 2012