Six bulletins, four rated critical, will be released in Microsoft's November 2012 Patch Tuesday update package, according to an advanced notification by the software giant. Many of the issues addressed in the bulletins affect new software, including the first fixes for Windows 8, which is concerning to security researchers.
"Nothing is ever 100% secure and albeit mistakes are made in software. But it's still ugly to see," said Paul Henry, security and forensic analyst at Scottsdale, Ariz.-based Lumension Security Inc.
The four critical bulletins will address 13 vulnerabilities in Microsoft Windows, Internet Explorer and the .NET Framework. All four bulletins involve remediation for remote code-execution vulnerabilities.
Bulletin 1 addresses issues in Internet Explorer 9 and will require a restart to apply the patch. Bulletins 2, 4 and 5 address issues in different iterations of Windows XP Service Pack, Windows Server 2003, Windows Vista Service Pack, Windows Server 2008, Windows 7, Windows Server 2008, Windows 8 and Windows Server 2012; issues in Windows RT are addressed in bulletins 4 and 5. Bulletins 2 and 5 require a restart, while bulletin 4 may require a restart.
"Most organizations will be affected by these critical bulletins as they relate to legacy codebase that is present even in Microsoft's most recent releases," said Marcus Carey, security researcher at Boston-based security vendor Rapid7 Inc. "This may come as a surprise to many who expected that Windows 8 and Windows Server 2012 to be much more secure than legacy versions. The truth is that Microsoft and other vendors have significant technical debt in their code base which results in security issues."
Bulletin 6 is a remote code-execution vulnerability classed as important. It may require a restart to apply updates. The affected software includes different versions of the Microsoft Excel Service Pack, Microsoft Office for Mac, Microsoft Office Compatibility Pack Service Pack and Microsoft Excel Viewer.
Bulletin 3 is an information disclosure vulnerability rated as moderate. It may require a restart to apply updates to different versions of Windows Vista Service Pack, Windows 7 and Windows Server 2008.
The bulletin release is scheduled for Tuesday, Nov. 13, 2012.
The October 2012 Patch Tuesday release focused on two security advisories. The first implemented a change in the RSA key length to a minimum of 1024 bits. The second addressed a clerical error in the digital signing of several security updates. In addition, there was one critical and six important bulletins in October.