Happy November Patch Tuesday! There are some pretty important bulletins this month, so your devices should be thankful.
Topping our ‘patch immediately’ list this month is the drive-by exploit affecting Internet Explorer 9. It’s fairly obvious that Microsoft patched this bug in IE10 before its release; otherwise, we would’ve seen a bulletin affecting both IE9 and IE10.
The second bug on our list is MS12-075. One of the exploits in this bulletin infects true type fonts and creates a theoretical exploit vector with third party browsers. Be sure to patch this one right after the IE9 bug.
The .NET bug that looked problematic in last week's advanced notification isn’t as serious as it could have been. Even though the remote exploit of this bug is complex; it’s going to be difficult for most attackers to use. This is the kind of bug that is a popular tool for pen testers with local network access to show off possible attack vectors, so you should definitely patch it sooner rather than later.
Despite the release of Windows 8 in late October, three of today’s bulletins affect it. Much of the core operating system is reused from version to version (even in new releases) and all software has its share of bugs. These factors, plus the security researchers that love to find and report bugs in the latest versions of software, are why there are several bulletins for Windows 8. They shouldn’t surprise you.
Many financial and retail organizations go into IT ‘lock-down’ during the last few months of the year. They don’t want to introduce any changes that may impact their ability to process transactions during the holiday shopping season. It’s likely that none of today’s patches will be applied to the server infrastructure of these organizations, so Microsoft’s comprehensive mitigation advice is critical. It allows you to mitigate the security risk without compromising downtime.