Windows 8 gets first critical Patch Tuesday security bulletins

Windows 8 hasn't even been on sale for a month yet but is already the recipient of three critical security updates via Microsoft's monthly Patch Tuesday security bulletins, each of which will block flaws that allow remote execution of code on targeted machines.

That means flaws in the operating system can be exploited by an attacker without the user of the machine executing a program or opening a document.

LEARN: The Windows 8 FAQ 

WINDOWS 8 SECURITY: A no-brainer 

While the new operating system has been designed to be significantly more secure than its predecessors, it still contains legacy code from earlier operating systems, which may contribute to the problem, says Marcus Carey, a security researcher at Rapid 7.

Windows Server 2012 - another recent new Microsoft release - falls prey to the same vulnerabilities, according to the advanced notification the company issued about its November bulletins, which become available Tuesday.

"This may come as a surprise to many who expected that Windows 8 and Windows Server 2012 to be much more secure than legacy versions," Carey says in a written statement. "The truth is that Microsoft and other vendors have significant technical debt in their code base which results in security issues." Technical debt refers to outdated legacy code and in a security context it means vulnerable code.

In all there will be six security bulletins this month, four of them critical. Besides the three affecting Windows 8 and other Windows platforms, the fourth affects Internet Explorer 9 and could enable a man-in-the-middle attack leading to remote code execution. "Nothing is under active attack; however, this is a high priority update and should be considered the highest priority for those running Windows 7 or Vista," says Paul Henry, a security and forensic analyst with Lumension.

One of the critical bulletins deals with a vulnerability that exposes a system to remote code execution via the way the operating system kernel is used to render font types. Specially crafted fonts embedded in Web pages, for example, can generate exploits when they are rendered. Known as Windows True Type font parsing, these exploits have been described by US-CERT as part of Duqu malicious software.

Possible exploits include complete system compromise, installation of programs, viewing, changing, or deleting data, or the creation of new system accounts with full privileges, US-CERT says.

(Tim Greene covers Microsoft for Network World and writes the Mostly Microsoft blog. Reach him at tgreene@nww.com and follow him on Twitter https://twitter.com/#!/Tim_Greene.)

Read more about wide area network in Network World's Wide Area Network section.

Tags securityMicrosoftWindowssoftwareWide Area Networkoperating systems

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Secure, identity-based protection for your endpoints

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.