Christmas Patch Tuesday Brings Scary Gifts

Microsoft has delivered a notable package of security fixes in its final Patch Tuesday of the year, covering a variety of operating systems and add-ons.

Seven bulletins were released by Microsoft, with five ranked as critical and two as important. In total, they deal with 12 vulnerabilities, covering a range of Remote Code Execution (RCE) flaws in popular software.

One of those RCE flaws is resident in Internet Explorer, thanks to a memory corruption bug, whilst another lies in Microsoft Word, which results from the way in which the program parses RTF files. For the latter, experts believe exploit code will be made public soon, so teams should get patching.

Patch Tuesday dangers

“An attacker can gain control of a computer without end user interaction because Microsoft Outlook automatically displays the malicious text in the Preview Pane,” warned Wolfgang Kandek, chief technology officer at Qualys.

As part of its security updates, Microsoft has also pushed out a new version of Flash in Internet Explorer 10, addressing three critical vulnerabilities. Adobe has put out its own patch too.

Security professionals have noted the decline in vulnerabilities addressed by Microsoft this year, which is being seen as a positive reflection on secure code, rather than a sign that Patch Tuesday isn’t as effective as it was. The graph below shows the significant drop in 2012 over the two previous years.

Microsoft pushed out 83 bulletins this year, down from 100 in 2011. “Maybe even more important than the raw numbers is the more regular release rhythm that Microsoft set this year. We see this as a clear sign of a more mature process,” Kandek added.

How well do you know Internet security? Try our quiz