The last Patch Tuesday of 2012 brings with it five critical bulletins, but it probably won't be the end of the...
world for admins.
Two of the most important patches for admins concern Internet Explorer and Microsoft Word, experts said.
The bulletin for Internet Explorer contains three separate fixes for vulnerabilities found in the browser. The issues, which Microsoft labeled as critical, allowed the possibility that attackers could corrupt memory to execute code.
Versions of the browser earlier than IE9 are not affected. Running IE 10 on a newer operating system such as Windows 8 or Windows Server 2012 drops the vulnerability rating to moderate. Windows RT machines, however, are still at the critical level.
The vulnerabilities only affect IE 9 and IE 10, which softens the blow for administrators because workstations haven't yet been upgraded to the newest browsers and operating systems, said Wolfgang Kandek, CTO of Qualys Inc., an IT services firm based in Redwood Shores, Calif.
The other patch, which concerns Microsoft Word, is especially important if an enterprise runs Microsoft Outlook 2007 or 2010.
The vulnerability, rated critical, deals with cases in which an attacker creates a malicious Rich Text Format file, which can lead to remote code execution. The vulnerability specifically touches Microsoft Word, but if Outlook is set to use Word as its document reader -- it is by default -- users could run into headaches.
"RTFs aren't going to be blocked," said Jason Miller, member of Shavlik Technologies' Patch Patrol team. There is a chance of potential impact because the file type is ubiquitous, he said.
Another patch had another reappearance of Oracle's Outside In vulnerability, which was seen in another vulnerability in Office Web App in August.
The full list of bulletins is available from Microsoft.
2012 in review: Fewer patches, more communication
This is the second consecutive year the amount of bulletins has decreased, but experts noted the consistency with which the patches were released.
"The last two years, every other patch was a larger patch and a smaller patch," said Amol Sarwate, Director of Qualys Vulnerability Labs. However, the heavy-light approach has gone away this year, which Sarwate said is a good thing because companies can better predict how to allocate resources.
Not only has consistency with bulletin numbers improved, but what admins hear from Microsoft also improved.
"Overall this year, the most underlying thing is more communication and better communication. They're providing a lot more information out there," Miller said.