As expected, Microsoft today released its regular monthly batch of security bulletins and associated patches. This month there are seven bulletins, addressing 13 identified vulnerabilities (three of these are identified in bulletin MS 12-080). Five bulletins have a Critical severity rating, and two are rated Important. Five of the bulletins are for Windows and its components; every supported version of Windows — including the recently-released Windows 8, Windows RT, and Windows Server 2012 — has at least one Critical bulletin. The remaining bulletins are for Microsoft Office and Microsoft server software; both these bulletins are rated Critical. (For a breakdown of bulletin severity by Windows version, please see this month’s preview post.) Full details, and download links, are in the Microsoft Security Bulletin Summary for December 2012.
Microsoft says that the five Windows bulletins will definitely require a system restart; the others may require one, depending on the system’s configuration.
In the preview post, I mentioned that one bulletin (now given the identifier MS12-077) to versions of Internet Explorer (such as IE 7 on Windows XP) for which it was not given a severity rating. Microsoft has now added a footnote to the “Affected Software” section of the Summary that explains this:
Severity ratings do not apply to this update for the specified software because the known attack vectors for the vulnerability discussed in this bulletin are blocked in a default configuration. However, as a defense-in-depth measure, Microsoft recommends that customers of this software apply this security update.
The handlers at the SANS Internet Storm Center have posted their usual summary of the patch release, along with their severity assessments.
As usual, I recommend applying these patches to your systems as soon as you conveniently can.