Microsoft is to release seven bulletins on its final patch Tuesday of 2012, fixing five critical issues.
According to an advance notification, the critical bulletins will address vulnerabilities in Windows, Word, Windows Server and Internet Explorer. The other two patches are rated as important and will address issues in Windows.
Ziv Mador, director of security research at Trustwave SpiderLabs, said: “Six out of the seven will result in Remote Code Execution, which is about as bad as bad gets. The last one deals with something Microsoft is calling a ‘Security Feature Bypass' and is only in Windows Server 2008 and 2012. Despite being only rated as important that one is looking very interesting this month.
“Bulletin one looks to be extremely nasty, allowing Remote Code Execution in Internet Explorer 6, 7, 8, 9 and 10, including the version of Internet Explorer on that shiny new Microsoft Surface running Windows RT. This makes it the second patch in as many months for Microsoft's new gadget.”
Andrew Storms, director of security operations at nCircle, said: “Of course, there's still the possibility of some holiday zero-day mayhem that could require an out-of-band patch. Let's hope that doesn't happen.
“Just in time for online holiday shopping to come to full frenzy, every supported version of Internet Explorer will need a critical patch. It's almost certain this will be the number one priority for IT teams everywhere next week.
“There's a worrisome Exchange server bug marked critical. IT teams will need to spend the time reviewing this bulletin next Tuesday to better understand the risk and decide if they need to patch it immediately. This could be a tricky decision for businesses focused on year end revenue because patching the bug may cause some downtime as the year comes to a close. Each individual business will have to decide if the risk of downtime is greater than the risk of being vulnerable.”
Paul Henry, security and forensic analyst, Lumension, said: “Fortunately, none are currently under active attack, so that should set IT's mind at ease as they begin to apply this set of patches.
“Microsoft had 100 bulletins for the calendar year, of which 34 were critical, 63 important and three moderate. In 2012, they reduced the number of bulletins by close to 20 per cent, coming in at 83 bulletins for the year, of which 35 were critical, 46 important and two moderate. It's great to see that Microsoft's Secure Coding Initiative is paying off, reducing the number of vulnerabilities in their software, resulting in an easier time for IT at Patch Tuesday time.”