November 2012 Patch Tuesday Overview
Microsoft has released six updates addressing 19 vulnerabilities in the November 2012 edition of Patch Tuesday.
The first bulletin administrators should look at patching immediately is the cumulative update for Internet Explorer. Unlike most cumulative Internet Explorer updates, MS12-071 only affects Internet Explorer version 9. Like most browser-based attack scenarios, this vulnerability can be exploiting by visiting malicious website which can result in remote code execution.
MS12-075 is the second bulletin that administrators should look at patching immediately. This security bulletin addresses vulnerabilities in the Windows Kernel that could potentially lead to remote code execution. If an attacker can entice a user to view a file with malicious TrueType fonts, the attacker could take control of the unpatched system.
There are a couple of interesting notes about this edition of Patch Tuesday. First, we are seeing the first Microsoft security bulletins addressing vulnerabilities in their new operating systems (Windows 8, Windows Server 2012). MS12-072, MS12-074 and MS12-075 all affect the new operating systems or components on the operating systems.
Windows 8 Release Preview and Server 2012 Release Candidate are affected by vulnerabilities such as the ones addressed in MS12-072. It is interesting to note that Microsoft is still offering patches for these vulnerabilities even after both versions of Windows 8 and Windows Server 2012 operating systems are now publicly available in Microsoft’s live released version form.
I was curious to see how Microsoft was going to handle the updates for Windows RT. Windows RT is the version of Windows 8 that runs on devices like the Microsoft Surface tablet. I noticed that Windows Server Update Services (WSUS) had added a category for Windows RT. Looking at the security bulletins this month, the patches for Windows RT are only available through Windows Update. This could present a challenge for IT admins that manually manage their machines and need reporting on which machines are up to date.
Continuing on the product preview front, the security bulletin for Microsoft .NET Framework (MS12-074) also affects .NET 4.5 preview. The patch for this product is only available through Windows Update only (not the Microsoft Download Center). This patching practice has been a common theme for Microsoft releasing security updates for their preview products.
Last month, Microsoft released Security Advisory 2749655 addressing an issue where numerous patch packages and the files contained within the patch packages had been signed with a bad certificate. The certificate is set to expire in early 2013. Microsoft re-released patches affected by this issue during the October 2012 Patch Tuesday and stated that they will be releasing more patches in the future.
Today, we are seeing another re-release of a patch with this issue. The Microsoft Office 2003 patch released in security bulletin MS12-046 has been re-released. Previous re-releases required customers to reapply the patches to ensure the digital certificate would not expire on early 2013. This re-release contradicts the process laid down from Microsoft as the details of the re-release are stating the patch does not need to be reapplied. Hopefully, Microsoft will provide some more clarification soon on why this particular patch does not need to be reapplied.
I will be going over the November Patch Tuesday patches in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our monthly Patch Tuesday webcast. This webcast is scheduled for next Wednesday, November 14th at 11:00 a.m. CT. You can register for this webcast here.
- Jason Miller