Microsoft is expected to launch a November 2012 security update tomorrow with six bulletins -- four of them for critical vulnerabilities. Most organizations will be affected by the critical bulletins because they relate to legacy codebase present even in Microsoft's most recent releases, such as Windows 8 and Windows Server 2012, said Rapid7 researcher Marcus Carey.
"This may come as a surprise to many who expected that Windows 8 and Windows Server 2012 to be much more secure than legacy versions," he said. "The truth is that Microsoft and other vendors have significant technical debt in their code base which results in security issues."
Carey offered the following breakdown:
Bulletin 1, listed at critical, is an Internet Explorer vulnerability that could be used in both drive-by and targeted attacks. This will be the top priority for both businesses and consumers since an attacker would be able to compromise their system if the user visits a malicious web page.
Bulletins 2, 4 and 5 are critical bulletins that affect all Microsoft operating systems, from Windows XP, Windows 7, Windows 8, all the way up to Windows Server 2012. Bulletins 2 and 5 are core operating system flaws that require restart to fix. This means that organizations may experience temporary service disruptions due to patching. Most organizations provision time for these types of service disruptions revolving around Patch Tuesday.
Bulletin 6 is a Microsoft Office vulnerability listed as important, which will allow remote code execution if a victim opens a malicious Office document. This bulletin is listed as important because the attacker can't force the user to open a document; they would have to be socially engineered into opening it.
Paul Henry, security and forensic analyst at Lumension, offered this dour assesment:
"Right off the top, it’s disappointing to see the critical bulletins impacting more than just legacy code as we’ve come to expect in recent months," he said. "These bulletins impact many current generation products and that’s concerning. Nothing is ever 100 percent secure and albeit mistakes are made in software. But it’s still ugly to see."