Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/9/2012
02:16 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Windows 8, RT Get First Security Fixes

Microsoft's first set of Windows 8 and Windows RT patches for critical vulnerabilities hits next week.

Microsoft Pop-Up Stores: Hands-On Look
Microsoft Pop-Up Stores: Hands-On Look
(click image for larger view and for slideshow)
Windows 8 and Windows RT, released just two weeks ago, are about to receive their first security makeover.

Microsoft on Thursday said that it plans to release its first security patches for Windows 8 and Windows RT as part of its monthly patch cycle next week.

Six security bulletins are scheduled for release, addressing a total of 19 vulnerabilities. Three of the bulletins apply to Windows 8, each of which has been designated critical. Two of the bulletins apply to Windows RT, one of which is critical.

Microsoft won't disclose specifics about the flaws until the patch is released to the public, but the Windows 8 vulnerabilities all allow remote code execution. One of them also affects Microsoft .NET Framework.

[ Get expert guidance on Microsoft Windows 8. InformationWeek's Windows 8 Super Guide rounds up the key news, analysis, and reviews that you need. ]

Other Microsoft software affected includes Windows XP, Windows Vista, Windows 7, Server 2003, Server 2008, and Server 2012. Also affected are Microsoft Internet Explorer 9; Microsoft Excel 2003, 2007, 2010; Microsoft Office for Mac 2008, 2011; Microsoft Excel Viewer; and Microsoft Office Compatibility Pack.

With regard to the two Windows RT vulnerabilities, both the critical one and the important one could allow remote code execution. Users who have chosen to enable automatic updating will receive the patches, as might be expected, automatically.

Versions of Internet Explorer prior to IE9 are not being patched. Neither is IE10, which ships with Windows 8 and Windows RT.

That doesn't mean IE10 is not without potential problems: On October 30, French security firm VUPEN claimed that it had identified a vulnerability affecting Windows 8 and Internet Explorer 10. Unfortunately for Microsoft customers, VUPEN sells information about the vulnerabilities it finds to its clients rather than disclosing the information to Microsoft or the public.

Upgrading isn't the easy decision that Win 7 was. We take a close look at Server 2012, changes to mobility and security, and more in the new Here Comes Windows 8 issue of InformationWeek. Also in this issue: Why you should have the difficult conversations about the value of OS and PC upgrades before discussing Windows 8. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
11/17/2012 | 6:30:25 PM
re: Windows 8, RT Get First Security Fixes
Why not just bundle the IE updates along with the other patches? Glad to see the at least they are keeping the Windows updates up to par. I foresee users unhappy who are running Windows 8, and unaware of the IE updates and vulnerabilities due to not receiving them.

Paul Sprague
InformationWeek Contributor
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...