Important security updates arrive for all Windows users
On its November Patch Tuesday, Microsoft has closed critical holes in all currently supported versions of Windows – from Windows XP SP3 to the newly released Windows 8.
The company has released a total of six security bulletins to address 19 vulnerabilities in its products. In addition to Windows, the Microsoft developers updated Office, Internet Explorer, the .NET Framework and the Internet Information Services (IIS) web server.
The update in bulletin MS12-075 closes three holes that are likely to attract criminal interest: two of them are use-after-free kernel driver flaws that can potentially be exploited by attackers to execute malicious code at kernel privilege level. A third hole allows for the same but using specially crafted TrueType fonts. Microsoft says that all versions of Windows are affected, even Windows RT for ARM-based tablets.
With MS12-072, Microsoft fixes two critical vulnerabilities in the Windows Briefcase file exchange feature. The two memory errors cause Windows to execute arbitrary code when a specially crafted Briefcase is opened. The flaws affect almost all editions of Windows.
The company has also released cumulative security updates for Internet Explorer 9 and .NET Framework 1.0 to 4.5, as well as an Excel update for the Office 2003 to 2010 versions of the spreadsheet program. The update for Excel also affects Excel Viewer, the Office Compatibility Pack Service Pack 2 and 3, and Office 2008 and 2011 for Mac OS X.
The IIS server has also been updated. Among other things, the vulnerabilities patched by this update allowed attackers to view users' access data via insufficiently protected log files. Microsoft says that no active attacks on any of the November Patch Tuesday vulnerabilities have been observed and that all holes were privately reported.