Critical Bulletins 1 and 4, both remotely executable, are worth noting. The first involves Internet Explorer and affects all versions from IE6 to IE10, including the Windows RT version on the new Surface tablet. "This makes it the second patch in as many months for Microsoft’s new gadget," notes Trustwave's Ziv Mador.
The second, Bulletin 4, will arguably be the most troublesome. “This is probably related to Oracle recently updating Outside In, which is used by Microsoft Exchange,” explains Marcus Carey, a security researcher at Rapid7.
It involves a critical vulnerability that requires a restart in Exchange 2007 SP3 and 2010 SP1 and 2. “This is my number one vulnerability in the bunch,” comments Alex Horan, senior product manager, CORE Security. “You don’t just randomly turn off email serves without generating howls of protest from your company to fix this one.” The problem, however, is that since Exchange faces the internet, the bad guys won’t need to break into the network to get at the vulnerabilities. “They just have to send an email or connect to the port where you receive email,” says Horan.
Bulletin 3 is also noteworthy. It’s a Word issue involving RTF parsing; and while Word issues are normally marked important, this one is critical. “Similar to a bulletin issued a few months ago,” explains Lumension’s Paul Henry, “there’s an issue with RTF formatted data that can be parsed in the Outlook Preview Pane, executing the vulnerability. Because of that parsing, this will be very important to apply quickly.”
Perhaps less noteworthy, but similarly marked critical and both requiring a restart are Bulletins 2 and 5. Bulletin 2, says Henry, “is a kernel mode drivers issue.” But he adds, “because executing on this vulnerability would be time consuming and difficult, this is less important than the Word and IE issues.” Bulletin 5 is a Windows File Handling issue for Windows XP SP3, Server 2003 SP2, Vista SP2, Server 2008 SP2, Windows 7 SP0 and 1, Windows 2008 SP0&1. “If they had added Windows 8 then this would have been my new favorite,” says Horan. “Still that list represents a large percentage of the Microsoft operating systems that are installed out there.”
Bulletins 6 and 7 are classified as important. The former is a vulnerability in Direct Play, affecting all versions of Windows from XP through Windows 8. “If you use Direct Play to parse content in Office documents or things embedded in Office documents,” explains Henry, “this vulnerability will come into play.” The latter is a vulnerability in IP HTTPS in Windows server 2008 and 2012, a component in Direct Access. “Essentially,” says Henry, “this is a bug that doesn’t honor the revocation of time stamp, as you might see for corporate credentials after an employee leaves a company. This vulnerability would allow someone with a revoked certificate to log in and access corporate assets.”
One of the problems with this Patch Tuesday is the timing – we’re into the holiday season and reboots are particularly intrusive. Admins may be tempted to delay patching until the new year; but they should consider that as soon as the vulnerability specifics are published next week, hackers will be working on how to exploit them. Delaying patches is never a good idea however appealing it may seem at the time.