Microsoft Previews 3 Security Updates for Windows 8
Windows 8 fixes among the patches previewed in Microsoft's security update advance notification for November.
Microsoft's security update advance notification for November lists four "critical," one "important" and one "moderate" bulletin items to be released next Tuesday.
What's interesting is that three of the four known Windows 8 and RT remote code execution flaws are expected to be fixed in this one. In all, the four critical items will target flaws in Windows, Windows Server, Internet Explorer and Microsoft .NET Framework.
Bulletin one, a critical update for Internet Explorer, and bulletin 5, a critical fix for multiple Windows products (including Windows 8) should be the top priority for IT, according to Paul Henry, security and forensic analyst for Lumension.
"Bulletin 5 is an interesting one, because it's a true type font issue. It resolves three vulnerabilities, the worst of which is a remote code execution," said Henry in an e-mailed response. "Microsoft has been dealing with font issues for a while. True Type Fonts can be embedded all over the place and Windows kernel mode driver renders the font. If these fonts are embedded in a browser or a Word document, for example, it's rendered in the kernel mode driver and winds up becoming a kernel mode exploit. An authenticated, low-rights user could visit a website, the font gets rendered, and it gets rendered as 'system.' This is a very effective attack mode, so Microsoft likes to close out font issues quickly. This is as high a priority as Bulletin 1. Those two bulletins will be the two biggest attack vectors in this batch."
Rounding out the projected bulletin items for the month is an important RCE fix for Microsoft Office and a rare moderate (second-lowest severity rating) information disclosure fix for Windows.
In other Microsoft security update news, Adobe announced this week that it will be realigning future security fixes for its Flash player to coincide with Microsoft's releases (scheduled for every second Tuesday of the month). This is seen to help provide timely security updates for Internet Explorer 10 running on Windows, which has Flash integrated into the Microsoft Web browser for the first time in the product's history.
Specific details on the six bulletin items will be available once the security update is released.