Advance notice of Microsoft patches to be issued on December 11

Microsoft just announced the December patches that are scheduled to be released on December 11 – see http://technet.microsoft.com/en-us/security/bulletin/ms12-dec  There are a total of seven patches to be released. Five of the patches are designated as CRITICAL, and two designated as IMPORTANT. The Critical bulletins address vulnerabilities in Microsoft Windows, Word, Windows Server and Internet Explorer. The two Important-rated bulletins will address issues in Microsoft Windows.

 

The critical patches apply to the following Microsoft products:

Workstation Operating Systems

  • Windows XP SP3 and SP2 (32 and 64 bit respectively)
  • Windows Vista SP2 (32 and 64 bit)
  • Windows 7 base and SP1 (32 and 64 bit)
  • Windows 8 (32 and 64 bit)

Server Operating Systems

  • Windows Server 2003 SP2 (32, 64 bit and Itanium)
  • Windows Server 2008 SP2 (32, 64 bit and Itanium)
  • Windows Server 2008R2 base and SP1 (64 bit and Itanium)
  • Windows Server 2012

Windows Tablet Systems (also known as RunTime)

  • Windows RT

Web Browsers

  • Internet Explorer version 9 on Windows Vista (all versions)
  • Internet Explorer version 9 on Windows 7  (all versions)

Microsoft Office Suites

  • Microsoft Word 2007 SP2 and SP3
  • Microsoft Word 2010 SP1 (32 and 64 bit versions)

Microsoft Exchange Server implementations

  • Microsoft Exchange server 2007 SP3
  • Microsoft Exchange server 2010 SP1 and SP2

The IMPORTANT patches apply to the following products:

Workstation Operating Systems

  • Windows XP SP3 and SP2 (32 and 64 bit respectively)
  • Windows Vista SP2 (32 and 64 bit)
  • Windows 7 base and SP1 (32 and 64 bit)
  • Windows 8 (32 and 64 bit)

Server Operating Systems

  • Windows Server 2003 SP2 (32, 64 bit and Itanium)
  • Windows Server 2008 SP2 (32, 64 bit and Itanium)
  • Windows Server 2008R2 base and SP1 (64 bit and Itanium)
  • Windows Server 2012

Office Suites and utilities

  • Microsoft Word viewer
  • Microsoft Office Compatibility pack SP2 and SP3
  • Word Automation services
  • Microsoft Office web apps 2010 SP1

As Internet Explorer is included for most current Windows Workstation operating systems, it is expected that a recommendation to patch workstations as soon as possible will be issued following the release of the patches on December 11.  However, as no details are currently available, this announcement is all that is being provided at this time. Additional information will be available on Tuesday, December 11.

Update December 12 10:00 a.m.

Microsoft has released additional details of the patches released for December 2012.  Prior to the Microsoft announcement on December 11, two of the vulnerabilities had been publicly identified (MS12-78 and MS12-080).  The vulnerabilities identified in MS12-078 apply to both workstation and also server operating systems and are designated as CRITICAL. Further, in the case of MS12-080, the vulnerabilities apply to Exchange 2007 and also Exchange 2010 implementations and are designated as CRITICAL

In the case of Bulletin #1 (MS12-077), the vulnerabilities exist in three modules. Two of the vulnerabilities don’t apply to Internet Explorer versions 6-8 on Windows XP (32 and 64 bit versions), or Windows server 2003 operating systems. However, the third vulnerability is applicable for Internet Explorer version 9 on the following workstation OSs: Vista, Windows 7 and Windows 8 and also for Internet Explorer version 10 on Windows 8 and WinRT and is designated as CRITICAL for these workstations OSs. The vulnerability for the third module also applies to Internet Explorer version 9 for the following server OSs: Server 2008, Server 2008R2 and Internet Explorer version 10 for Server 2012. However, the severity is designated as MODERATE for Server operating systems.

Also of significance regarding the December patches, all of the vulnerabilities would enable remote code execution if any workstation or server OS was exposed to reliable exploit code.

 AgriLife ISO recommendation – As the vulnerabilities apply to both server and workstation operating systems, have critical designations, would enable remote code execution and reliable exploit code is expected to be developed in the next 30 days, it is recommended that the December patches be applied to all Microsoft systems as soon as possible. 

 

December 12 – 3:00 p.m. – update 2

On December 11, Adobe also released an update for Flash to address several vulnerabilities. It is recommended that any flash implementations be patched as soon as possible. Details about the Adobe patch are available at  Adobe ABSB12-27

 

On December 11, Oracle released updates to Java version 1.6 and 1.7. They release numbers are 1.6.38 and 1.7.10 respectively. They can be downloaded from http://java.com/en/download/manual.jsp  

Version 1.7.10 of Java has a number of new security features. Details about these features can be found at http://nakedsecurity.sophos.com/2012/12/19/java-7-update-10-introduces-important-new-security-controls/

 

 

Tags:

Categories: Uncategorized