Microsoft patches five critical flaws

Microsoft is to release seven bulletins on its final patch Tuesday of 2012, fixing five critical issues.

According to an advance notification, the critical bulletins will address vulnerabilities in Windows, Word, Windows Server and Internet Explorer. The other two patches are rated as important and will address issues in Windows.

Trustwave SpiderLabs director of security research Ziv Mador said six out of the seven result in remote code execution.

"The last one deals with something Microsoft is calling a ‘Security Feature Bypass' and is only in Windows Server 2008 and 2012. Despite being only rated as important that one is looking very interesting this month," Mador said.

“Bulletin one looks to be extremely nasty, allowing Remote Code Execution in Internet Explorer 6, 7, 8, 9 and 10, including the version of Internet Explorer on that shiny new Microsoft Surface running Windows RT. This makes it the second patch in as many months for Microsoft's new gadget.”

nCircle director of security operations Andrew Storms said the IE patch would be a priority for most.

“There's a worrisome Exchange server bug marked critical.  IT teams will need to spend the time reviewing this bulletin next Tuesday to better understand the risk and decide if they need to patch it immediately," Storms said.

"This could be a tricky decision for businesses focused on year end revenue because patching the bug may cause some downtime as the year comes to a close. Each individual business will have to decide if the risk of downtime is greater than the risk of being vulnerable.”

Microsoft had 100 bulletins for the calendar year, of which 34 were critical, 63 important and three moderate. In 2012, they reduced the number of bulletins by close to 20 per cent.

This article originally appeared at scmagazineuk.com