Patch Tuesday: Critical Fixes and Surface Updates

It’s that time of the month again. No, not that time of the month. It’s Patch Tuesday, the day when Microsoft issues various security patches and performance updates for Windows, Office, Internet Explorer, and other products.

This time around, we have a total of six bulletins. Four are critical, one is important, and the last one is moderate in importance. The first five address remote code execution exploits in Windows, Internet Explorer, the .NET Framework, and Office.The final bulletin is for a security update that resolves an information disclosure bug with the Microsoft Internet Information Services (IIS).

On top of these security patches, Microsoft has also released a slew of updates for the Surface and/or Windows RT. Makes sense, seeing that this is the first Patch Tuesday to occur since the launch of the Surface RT and Windows 8 on October 26. Tom Warren over at The Verge installed the Surface firmware update on top of a few Windows RT updates and is reporting performance gains over an unpatched device. He’s also saying that app launch times have improved, which is a good sign; app launch times (and general lag while using them) was a major criticism of the Surface when it was released.

So, if you haven’t already, fire up Windows Update.

Patch Tuesday: Microsoft and Adobe Releases Critical Patches

It’s that day of the month when you have to fire up Windows Update and install all of those very precious security updates. Both Microsoft and Adobe has released a number of updates which are available for download right now.

The new updates consists of nine bulletins, out of which five updates are rated critical, the highest severity rating. Rest of the updates are rated important by Microsoft. These updates fix 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. You can either use Windows Update or download the updates from Download Center. If you have automatic updates enabled (as you should), you will probably have these installed already.

Adobe on the other hand has released three security bulletins for Reader, Acrobat, Shockwave and Flash. The updates for Adobe and Acrobat fix about 20 vulnerabilities for both Windows and Mac OS X versions of their software. The Flash Player update, which is touted as the most important among the updates, fixes vulnerability (CVE-2012-1535) which according to Adobe has been used in the wild in a limited manner. The update for Shockwave Player addresses five memory corruption vulnerabilities that could lead to code execution.

For more information on the updates from Microsoft, visit MSRC . To download updates for Adobe products, visit their security bulletins and advisories section.

Make sure to have these updates installed on your PC as soon as possible, for better protection from online threats.

Patch Tuesday Rolls Around With Six Bulletins

It’s that time of the month again: Today is Patch Tuesday, the one Tuesday of the month where Microsoft releases a set of updates to fix nasty — or mild — security issues with its products, and The Next Web has blogged about the riveting, earth-shattering updates that this month has to offer, along with some shiny charts that Microsoft released to spice up this otherwise boring blog post.

Of the updates — six in all — one is rated as ‘moderate’, four ‘important’, and one ‘critical’. In order of least important to most, at a glance the updates address security issues with DirectWrite, DNS, the Kernel, Visual Studio, Expression Design, and RDP. What’s ‘critical’ about the RDP bug? The Microsoft Security Response Center blog elaborates:

MS12-020 (Windows): This bulletin addresses one Critical-class issue and one Moderate-class issue in Remote Desktop Protocol (RDP). Both issues were cooperatively disclosed to Microsoft and we know of no active exploitation in the wild. The Critical-class issue applies to a fairly specific subset of systems – those running RDP – and is less problematic for those systems with Network Level Authentication (NLA) enabled. That said, we strongly recommend that customers examine and prepare to apply this bulletin as soon as possible. The Critical-class issue could allow a would-be attacker to achieve remote code execution on a machine running RDP (a non-default configuration); if the machine does not have NLA enabled, the attacker would not require authentication for RCE access.

They’ve also included some shiny charts to visually present the fixes in a sleek, attractive manner. Here they are: