News Stay informed about the latest enterprise technology news and product updates.

Microsoft releases 'critical' fixes for Windows and Windows Server

Microsoft closed out Patch Tuesday for 2011 by issuing 13 security bulletins to fix 19 vulnerabilities, three of which were deemed “critical” for Windows and Windows Server 2003.

In the final Patch Tuesday of 2011 Microsoft released 13 security bulletins, three of them classified as critical, to fix 19 vulnerabilities affecting desktop versions of Windows, Windows Server 2003, Office, Internet Explorer and Windows Media Player.

The three critical bulletins, which Microsoft officials advise should be applied immediately, involve remote code execution vulnerabilities in Windows desktop. One of the updates resolves a privately reported vulnerability that could allow remote execution if a user were to view “a specifically crafted Web page that employs binary behavior in Internet Explorer,” according to company officials.

Those users who have been granted fewer rights on the system are likely to be less impacted than those with administrative rights. This update also contains kill bits for four different third-party Active X controls, officials said.

Another security bulletin that addresses a privately reported vulnerability allows remote control execution if users open a file containing a “specifically crafted” OLE object. Hackers successfully exploiting this flaw can gain the same rights as the local user. This vulnerability, rated as “important” however, does not affect Windows Server 2008, Windows Server 2008 R2, Windows 7 and Windows Vista, according to Microsoft.

A third privately reported vulnerability, also classified as “important, allows hackers to remotely execute code in Active Directory, Active Directory Application Mode (ADAM) and Active Directory Lightweight Directory Service.” In order to exploit this flaw attackers must acquire credentials to log on to an Active Directory domain.

Microsoft did address the vulnerability that could be exploited by the Duqu intelligence-gathering Trojan. The company had put out an advisory about this flaw in November after it was discovered what some industry observers called a “possible precursor to the next Stuxnet,” a sophisticated worm that served to sabotage Iran’s nuclear program in 2010.

In addition to the security bulletins, Microsoft also released an enhanced version of its Windows Malicious Software Removal Tool available on Windows Update, Windows Server Update Services and the company’s Download Center.

For more technical information about December’s security bulletins, users can visit Microsoft’s Security Techcenter.

Dig Deeper on Legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.