Final Patch Tuesday of 2012 includes five ‘critical’ updates - fitzgeraldforeas

Today is the last Patch Tuesday of the twelvemonth. There are septenar new security bulletins from Microsoft this calendar month, and five of them are rated "critical." If you use Windows, Microsoft Office, or Explorer, you've got some shape to do to get these new patches applied.

MS12-082 and MS12-083, security bulletins related to flaws in DirectPlay and IP-HTTPS respectively, are rated World-shaking. The Critical security bulletins apply to the Windows OS, Microsoft Office, the Explorer Web browser, and Microsoft Exchange Server—and a couple of of them require a restart for the patch to bring up effect.

Andrew Storms, director of security operations for nCircle, singles out MS12-077—the cumulative update for Internet Adventurer—as the near pressing of the bunch. "Attackers will be targeting online vacation shoppers with this bug, so patch this before you do anything other."

Storms besides notes the unusual fact that the critical flaw in IE affects all versions, but is only exploitable on the newer versions, which are ostensibly "more than secure" than their predecessors, including IE10 along Windows RT. Storms quips, "We can be sure this bug is not a gift Microsoft wanted to receive this holiday season."

Apply the carping patches ASAP in front malware developers craft exploits.

In a blog post, Kaspersky Labs expert Kurt Baumgartner spotlights MS12-079—the Microsoft Office security bulletin. Baumgartner stresses that Microsoft Office has been a very popular target every bit an attack vector for spear phishing attacks in 2012. He points out that a great deal of the aid from malware developers that accustomed be engaged for Adobe brick Reader and Adobe Flash exploits seems to now be invested in cranking unsuccessful exploits aimed at Microsoft Office.

The Microsoft Authority vulnerability is especially concerning because the work does non require any user interaction. The RTF email flaw butt be triggered just by viewing a ill-shapen electronic mail in the Outlook preview pane.

Barring some class of urgent no-day exploit requiring an out-of-stripe patch, Microsoft will finish the year with a total of 83 security bulletins. That is a 17 percent drop from 2011, and a more than 20 per centum drop curtain in the annual security bulletin total compared to 2010.

It's not altogether about the surety bulletins themselves, though. Each security bulletin might actually address a handful of underlying vulnerabilities, so the total of security bulletins don't inevitably tell the total story.

What is arguably more impressive than the general decline in summate security system bulletins is the more invariable number of security measur bulletins from month to month this year. The past twain old age it seems look-alike Microsoft has gone from one or two security system bulletins one month to 10 or many the next calendar month like a yo-yo.

Qualys CTO Wolfgang Kandek believes the more consistent rhythm is indicative of a more mature process. Hopefully that is true, and IT admins can tone overbold to a smooth release pattern in 2022 as recovered.