Last of 2012 Patch Tuesday Fixes Critical IE, Word and Surface Wi-Fi Bug

Last of 2012 Patch Tuesday Fixes Critical IE, Word and Surface Wi-Fi Bug; Adds Phdet Trojan Family to Dec. 2012 MSRT; Released: Update Rollup 5-v2 for Exchange 2010 SP2 Released

Seven security bulletins addressing 12 CVE's --five of the bulletins have a maximum severity rating of Critical, and two have a maximum severity rating of Important are release today as part of the December 202 Patch Tuesday.

This update also includes a few improvements for Surface with Windows RT, and provides increased Surface Wi-Fi reliability, improved connectivity in various scenarios, and performance improvements including: "This update addresses issues where Surface RT users will receive "Limited" WiFi connectivity. The update also adds support for Access Point names (SSID's) such as "Eric's Phone_1" including non-standard-ASCII special characters such as: ñ, ö, ü, á, é," Microsoft stated.

MS12-077 addresses three different privately reported vulnerabilities in Internet Explorer browser and is marked as "critical" for IE9 and IE10 (on both Windows 8 and Windows 7) and "moderate" for IE9 and IE 10 on Windows Server.

"This security update has no severity rating for IE6, IE7, and IE8, because the known attack vectors for the vulnerability discussed in this bulletin are blocked in a default configuration," Microsoft's IE team said.

The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," the team wrote.

Microsoft has also released an update to fix Adobe Flash Player vulnerabilities in IE10 running on Windows 8, Windows Server 2012 and Windows RT.

Phdet is the family which has been added to the December 2012 release of the Malicious Software Removal Tool (MSRT).

"Phdet is a family of backdoor trojans that have the ability to perform distributed denial of service (DDoS) attacks. The bot can be found online, going by the formal name of "Black Energy". "

MS12-079 resolves a critical severity rating remote code execution issue in Microsoft Word. "An attacker could run code in the context of the logged-on user if they were to open a specially crafted Rich Text Format (RTF) file, or preview or open a specially-crafted RTF email message in Outlook while using Microsoft Word as the email viewer," Microsoft explained.

You can watch the bulletin overview video below for more information:

Also, released today is the Update Rollup 5 v2 for Exchange 2010 SP2, Exchange 2010 SP1 RU8 and Exchange 2007 SP3 RU9. "This update contains a number of customer reported and internally found issues. For a list of updates included in this rollup," Microsoft Exchange team stated.

For more information, check out this knowledge base article KB 2785908 Description of Update Rollup 5 version 2 for Exchange Server 2010 Service Pack 2.

All the following three releases cover Security Bulletin MS12-080:

Below is the December 2012 deployment priority guidance:

Microsoft December 2012 Severity and Exploitability Chart

And, here is the risk and impact graph shows an aggregate view of this month's severity and exploitability index:

Microsoft December 2012 Security Deployment chart