A guide to 2012's Patch Tuesdays

An admin's guide to 2012's Patch Tuesdays

Every second Tuesday of the month, administrators plan for Microsoft sending fixes and updates for operating systems and software during an event called "Patch Tuesday."

As a whole, 2012 kept Microsoft busy. Multiple patches were issued to address continuing security issues in Internet Explorer. Many of the critical patches were for vulnerabilities that could allow for remote code execution and attackers gaining the same rights as users. Microsoft even updated some of its policies regarding digital certificates to make its operating systems more secure, following the discovery of the Flame malware.

In this guide, you’ll learn about some of the most critical patches and bulletins Microsoft has issued since February and what administrators should be using to keep their systems secure.

Table of contents:

December: IE, Office, Windows receive final patches of 2012

The final month of 2012 has five critical bulletins. Two of these bulletins -- one for Internet Explorer and one for Office -- are considered to be the most pressing fixes to prevent remote code execution. The patch for IE only affects vulnerabilities found in IE 9 and IE 10. The patch for Office involves Word and is particularly important for enterprises running Outlook 2007 or 2010. Finally, a patch was released for Oracle's Outside In vulnerability, which was also found in Office Web App in August. Experts say that although the number of patches decreased for 2012, the consistency in the patches' release and communication from Microsoft has improved.

November: First patches issued for Windows Server 2012, Windows 8

This is the first month with patches for Windows 8 and Windows Server 2012. Three "critical" bulletins affecting them were issued for remote code execution vulnerabilities in Windows kernel-mode drivers. Internet Explorer also received a critical bulletin for remote code execution vulnerabilities in IE 9 and IE 10 for Windows. Other critical bulletins were issued for remote code execution vulnerabilities in Windows Shell and Office. Finally, Microsoft re-released a previous bulletin as part of a continued effort to prevent problems from an error that could expire patches too early.

October: Word and Kerberos vulnerabilities, August rereleases

Although seven security bulletins were issued, the only "critical" patch was for a vulnerability in recent editions of Word which should be applied immediately. Another vulnerability involved Kerberos authentication that could result in denial of service if it was exploited. Microsoft also had to rerelease five bulletins from August because of a timestamp error in certificates. There were no patches or bulletins for Windows Server 2012 or Windows 8.

September: A light month with two "important" fixes

As one of the lightest Patch Tuesdays this year, September only had two issued bulletins with no "critical" patches. The "important" patches fix elevation of privilege vulnerabilities in service packs for Microsoft Visual Studio Team Foundation Server 2010, Microsoft Systems Management Server 2003 and Microsoft System Center Configuration Manager 2007. Microsoft also issued a warning about new certificate length requirements ahead of October's Patch Tuesday.

August: IE vulnerabilities a concern for third consecutive month

For the third month in a row, Microsoft issued a patch for Internet Explorer vulnerabilities. Microsoft also issued the first critical Exchange patch in three years. The patch fixes a vulnerability in Outlook Web App (OWA).

July: A revised Windows Update policy and a XML vulnerability

One of the month’s three critical patches addressed a XML vulnerability that could be exploited if users clicked on malicious links in instant messages or in IE. Microsoft also released revisions on how Windows Update rejects or accepts digital certificates.

June: Half of month's reported vulnerabilities were in IE

A total of 13 vulnerabilities were addressed in a patch for the newest versions of IE. Many of these vulnerabilities had already been targeted when the patch was released. A patch was also issued to correct Flame malware appearing authentic in certificates.

May: Patches to address Duqu Trojan, Office's rich text format

For the second time in six months, Microsoft issued a patch to fix Duqu trojan vulnerabilities in multiple programs. A critical patch was also issued for Office, which had a vulnerability stemming from how it read documents saved in rich text format.

April: Widespread remote code execution vulnerabilities

Almost every operating system supported by Microsoft was affected by April’s Patch Tuesday, and five of the month's six bulletins involved remote code execution. Patches were issued for critical vulnerabilities in the .NET framework and in business applications like Office.

March: RDP vulnerability was only critical patch issued

Seven issues were reported in March, and the month's lone critical patch was for a Remote Desktop Protocol (RDP) vulnerability for remote code execution. Fixes that were labeled important involved remote code execution in DNA servers and kernel-mode drivers.

Febuary: Remote code execution was month's main issue

Two of the month’s critical bulletins addressed the potential for remote code execution if attackers gained the same rights as users through malicious media files and IE webpages. A critical patch was also issued for a remote code execution vulnerability in kernel-mode drivers.