Microsoft is prepping fixes for 19 security vulnerabilities for this month’s Patch Tuesday.
The vulnerabilities are stretched out across six bulletins, four of which are rated critical. Those four address 13 bugs affecting Windows, Internet Explorer and the .NET Framework.
“Most organizations will be affected by these critical bulletins as they relate to legacy codebase that is present even in Microsoft’s most recent releases, such as Windows 8 and Windows Server 2012,” said Marcus Carey, a security researcher with Rapid7. “This may come as a surprise to many who expected that Windows 8 and Windows Server 2012 to be much more secure than legacy versions. The truth is that Microsoft and other vendors have significant technical debt in their code base which results in security issues.”
The non-critical updates include a bulletin rated ‘Important’ that will address four vulnerabilities in Microsoft Office and a ‘Moderate’ update will address two issues in Microsoft Windows.
Bulletin 1 is expected to be a critical cumulative update for Internet Explorer 9 addressing three vulnerabilities. While no attacks have yet been observed in the wild, this should be considered the highest priority for Windows 7 and Vista systems.
Bulletin 6 is marked as important and will close a file format bug in Excel. Bulletin 3 will be a moderate update for IIS but will be an issue only on IIS systems set up to provide FTP services.
In addition to the Microsoft patches, there are two other significant software updates IT administrators need to be aware of and should address next week, blogged Qualys CTO Wolfgang Kandek.
“Adobe released a new version of its Flash player that addresses seven vulnerabilities,” he wrote. “Adobe rates them as “critical” and assigns the patch an overall urgency rating of “1”, indicating that patching should be performed within one week. Apple released version 7.7.3 of its Quicktime player for Windows, which addresses nine vulnerabilities. They are all rated critical and should be addressed as quickly as possible.”
“IT administrators may find they don’t have much to be thankful for this Thanksgiving with a disruptive Patch Tuesday headed their way,” said Paul Henry, a security analyst at Lumension.
“We knew that IE9 would have some bugs, but it’s got to be demoralizing for Microsoft to have to patch their newer, more secure browser again so quickly,” said Andrew Storms, director of security operations at nCircle.
Microsoft is also re-releasing two older patches in order to fix timestamp issues with updates from earlier this year.
The Microsoft updates are slated to be released Nov. 13 at approximately 10 a.m. PST.
Additional reporting by Fahmida Rashid