Patch Tuesday to fix vulnerabilities in Windows 8 and Surface

News 9 Nov, 2012

Three critical updates for new OS and Microsoft tablet

Despite going on sale less than a month ago, Microsoft is to release three fixes for Windows 8 and its Surface tablets.

Three security holes have been found that affect Windows systems from Windows XP SP3 right up to and including Windows 8 and Windows Server 2012.

The flaws allow hackers to execute malicious code on vulnerable systems. A couple of patches also fix flaws in Windows 8 RT, the ARM-based OS used in Microsoft's new tablet computer.

Another critical patch is for an Internet Explorer vulnerability that could be used in both drive-by and targeted attacks. An attacker would be able to compromise their system if the user visits a malicious web page.

Another flaw affects Microsoft Office. Listed as important, the vulnerability allows remote code execution if a victim opens a malicious Office document. This bulletin is listed as important because the attacker can't force the user to open a document; they would have to be socially engineered into opening it.

The six patches rectify 19 vulnerabilities found in Microsoft software. The patches will be released on Tuesday 13 November.

"Most organisations will be affected by these critical bulletins as they relate to legacy codebase that is present even in Microsoft's most recent releases, such as Windows 8 and Windows Server 2012," said Marcus Carey, a security researcher with Rapid7.

"This may come as a surprise to many who expected that Windows 8 and Windows Server 2012 to be much more secure than legacy versions. The truth is that Microsoft and other vendors have significant technical debt in their code base which results in security issues."

Alongside the patches for Microsoft, Adobe is to release patches for vulnerabilities in its own products.

The software company will be releasing updates timed to coincide with Microsoft’s patching schedule, rather than its previous policy of sending out updates as soon as they are ready.

“Starting with the next Flash Player security update, we plan to release regularly-scheduled security updates for Flash Player on 'Patch Tuesdays,” the company said in a release.

The patches will fix seven critical flaws in Flash Player.

According to Chester Wisniewski ,security expert at Sophos, Flash Player remains one of the most exploited plug-ins used in drive by web attacks, and he said "it is sensible to update as soon as possible.