This month's Microsoft Patch Tuesday is marked by a wide variety of bug fixes across the full range of Windows operating systems.
The Redmond, Washington-based company released seven bulletins this month, five of which are rated as critical.
"There are two that you want to look at right away," said Jason Miller, manager of research and development at VMware. "The first is the update for Internet Explorer because it has multiple vulnerabilities. And, vulnerabilities that involve Web browsers are the most actively attacked. The other one closes the risk of remote code execution in Microsoft Word. A malicious RTF document opened Microsoft Word results in remote code execution, and because Word is used as a default viewer in Outlook, you can be attacked through that."
Wolfgang Kandek, CTO of Qualys, added that this exploit can be activated without even opening the malicious email.
"Outlook uses Word within the preview pane, and that is enough to enable the vulnerability," he said. "You don't have to double-click on it or anything. You just have to scroll over it and make the preview show, and the malware can gain control of your machine. So this one should be immediately patched."
Also listed as critical, Bulletin 78 describes issues with kernel-mode drivers that could enable remote execution involving True Type fonts
"TrueType font vulnerabilities are nothing new," said Marc Maiffret, CTO of BeyondTrust. "Typically in Windows, a lot of the font parsing is actually done within the kernel. This is probably some of the most complex parsing code to be written. And the more complex your parsing code, the [greater your chances are] of having security vulnerabilities, which is why we see so many issues with Adobe and similar types of software. Most of the other ones are mitigated somewhat because of their user level. But this one is complex parsing that is also running within the kernel, which is a privileged area. So this is kind of a perfect storm."
Bulletin 80 is intended to close a vulnerability enabling remote code execution in Microsoft Exchange Server.
"This is now the second critical vulnerability in Microsoft Exchange Server made possible by Oracle," said Maiffret. "So I imagine that Microsoft is trying to figure out how to avoid using the Oracle parsing code, or at least better secure it."
Remaining bulletins include another critical patch closing remote code execution vulnerabilities in the Windows File Handling Component. Two other bulletins, both rated important, address issues in DirectPlay and the IP-HTTPS Component.
In a related matter, Microsoft has also re-issued four new patches to replace previous ones that were incorrectly signed. VMware's Miller recommends that those patches be replaced soon because they will become invalid early next year.
PUBLISHED DEC. 11, 2012