Microsoft will address 11 vulnerabilities this month, fixing flaws in Internet Explorer, Microsoft Office and Microsoft Exchange Server.
Seven Microsoft security bulletins, five critical and two important, will be released in the December 2012 Patch Tuesday update, according to the Patch Tuesday Advance notification
Bulletins 1 through 5 fix critical remote code execution vulnerabilities. Bulletin 1 requires a restart and affects Internet Explorer (IE) 9 and 10. IE 6, 7 and 8 will also be updated to address this issue.
"This flaw exists in IE 6, 7 and 8, but it's not exploitable in those versions," said Marcus Carey, a security researcher at Boston-based security vendor Rapid7 Inc.
Bulletins 2 and 5 require a restart and affect different versions of Windows XP Service Packs, Windows Server 2003, Windows Vista Service Packs, Windows Server 2008 and Windows 7. Bulletin 2 also addresses issues in Windows 8, Windows Server 2012 and Windows RT.
Bulletin 3 may require a restart to complete the patch. The vulnerabilities addressed in this bulletin affect services packs for Microsoft Word 2003, 2007 and 2010; Microsoft Word Viewer; Microsoft Office Compatibility Pack Service Packs 2 and 3; Word Automation Services; and Microsoft Office Web Apps 2010 Service Pack 1. Bulletin 4 may require a restart and affects Microsoft Exchange Server 2007 Service Pack 3 and Microsoft Exchange Server 2010 Service Packs 1 and 2.
The Exchange Server update should get the most attention, according to Wolfgang Kandek, CTO of Redwood City, Calif.-based Qualys Inc. If the update cannot be applied quickly, patching teams should implement a short term fix, Kandek said.
The important bulletins, 6 and 7, require a restart. Bulletin 6 addresses vulnerabilities that could allow remote code execution. The affected software are Windows XP Service Packs, Windows Server 2003, Windows Vista Service Packs, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 and Windows Server 2012 . Bulletin 7 addresses a security feature bypass vulnerability in Windows Server 2008 R2 and Windows Server 2012.
The bulletins will be released Tuesday, Dec. 11 at approximately 1 p.m. ET.