The latest raft of patches has been made available by Microsoft for its software products, to help keep users safe from malicious software and local/remote attackers. This “Patch Tuesday” has brought fixes to 27 security flaws, 14 in Windows (XP SP3, Vista, 7, Server 2003/2008) and 13 in Internet Explorer. On my Windows 7 64-bit computer system the patches weighed in at 55MB.
If you don’t have Windows Update set to automatic updating it might be worth a manual check right now. The critical updates this month are the following;
MS12-038 | KB2706726 | Vulnerability in .NET Framework Could Allow Remote Code Execution
MS12-037 | KB2699988 | Cumulative Security Update for Internet Explorer
MS12-036 | KB2685939 | Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
Two of the critical updates refer to Remote Code Execution (RCE). With regard to MS12-038, this vulnerability could be exploited by a “specially crafted webpage” and .NET applications can use the same route to bypass Code Access Security restrictions.
Looking at MS12-036, users who don’t have Remote Desktop enabled are not at risk while that preference setting remains. Systems with Remote Desktop Protocol enabled can suffer from a nasty case of RCE “if an attacker sends a sequence of specially crafted RDP packets to an affected system”.
MS12-037 is a big (24MB) cumulative patch for IE. One of the vulnerabilities was known to people outside of Microsoft and 12 others not publicly reported. Again the worst vulnerabilities could allow RCE “if a user views a specially crafted webpage using Internet Explorer”. And then… “An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user.” It doesn’t matter which version of IE you use; “This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows servers.”
So get your patches done and keep safe. I am left wondering about Internet Explorer 10 on the Windows 8 release preview systems, are those people getting these or similar security updates? If anyone is currently running the Windows 8 preview please let us know in the comments.