This month brings some interesting updates from the Microsoft central security team’s regular notification service for December 11 2012. The Microsoft Security Bulletin Notification for December 2012 contains seven bulletins; with five of then listed as “critical” and two ranking as “important” overall.
In Bulletin 1 we see a risk of “remote code execution” affecting users of Internet Explorer versions 9 and 10. Unusually, Internet Explorer versions 6, 7, and 8 are not impacted. What is certain is that administrator system updates should be carried out if users’ PCs are not automatically set to update, as they will be for many home users.
Remote code execution
In terms of day-to-day risks, “remote code execution” means that a victim could be compromised and infected simply by visiting a malicious website in what is commonly referred to as a drive-by attack.
If it were possible to describe “critical” as “very critical” then Bulletin 3 would fall into that category as it affects Microsoft Office suites. Here’s what is important to note in this security bulletin, which should be updated/patched as a priority:
- Users “could” be exploited simply by viewing emails, not just by the more usual method of opening attached documents and other files.
- In some corporate environments, Outlook updates are often not given the priority that other updates receive — especially given the growing use of web/cloud email clients.
- This could be described as “long shelf live” exploit risk due to lack Outlook updates — but this update is indeed critical.
Bulletin 4 is an update for administrators to fix vulnerabilities in Microsoft Exchange Server 2007 Service Pack 3, Microsoft Exchange Server 2010 Service Pack 1, as well as Microsoft Exchange Server 2010 Service Pack 2.
Bulletin 4 is interesting as the vulnerability uncovered may have been impacted by other major IT vendors in the database and systems space also updating their far-reaching industry technologies. Given the amount of external (to Microsoft) systems that interact with Microsoft Exchange and seek to maintain interoperability with it, industry-wide incompatibilities that lead to malicious threat openings are not unheard of.
When are critical updates “only” important?
Bulletin 6 impacts all Microsoft operating systems (except for Windows RT) and Bulletin 7 only affects Windows Server 2012 and Windows Server 2008 R2. But Bulletin 6 and 7 are rated as important rather than critical and there is a reason for this:
- The user would have to be running a specific configuration on his or her machine to be affected.
- The user would have to be using his or her machine in what might be defined as “limited circumstances” i.e. not necessarily typical or normal everyday use for the majority of users.
- The user would have to “participate and/or engage” with the threat by opening a file or performing more involved actions and this downgrades the threat below critical as such — although it is still important and should be acted upon and protected with patch updates.
Microsoft’s Security Bulletin updates are also known as ‘Patch Tuesday’ and occur on the second Tuesday of each month. The information contained in these updates is as valuable to home users as it is to IT administrators in small to medium sized businesses.
While many home users’ systems will be set to “auto-update Windows”, some firms will need to carry out these patch updates manually. As with all crucial updates, they should be installed as soon as possible.