In one of the more surprising Patch Tuesdays in recent memory (not including December’s, because they are usually light), we only have only one “critical” bulletin, and it is for a service (Remote Desktop) that isn’t enabled on most systems. In addition, there are no significant out-of-band items released. And in the biggest shock of them all, Microsoft Office does not have any security patches this month.
Security Patches
MS12-017/
KB2647170 -
Important (2003, 2008, 2008 R2): There is a denial of service vulnerability in the Windows DNS server. Install this patch on those servers running DNS.
MS12-018/
KB2641653 -
Important (XP, Vista, W7, 2003, 2008, 2008 R2): Locally logged on users can run a malicious application to exploit a vulnerability in kernel mode drivers and gain administrative rights. Install this patch on your usual cycle.
MS12-019/
KB2665364 -
Moderate (Vista, W7, 2008, 2008 R2): An issue with DirectWrite can allow an Instant Messenger contact to send a special Unicode sequence to perform a denial of service attack. This patch can wait until your normal patch day.
MS12-020/
KB2671387 -
Critical (XP, Vista, W7, 2003, 2008, 2008 R2): This patches a pair of vulnerabilities in the Remote Desktop Protocol (RDP) system, one of which can be used to perform remote code execution attacks against systems that have RDP enabled. Install this patch immediately on systems that allow RDP connections.
MS12-021/
KB2651019 -
Important (Visual Studio 2008, Visual Studio 2010): Attackers can place malicious add-ins into Visual Studio’s add-in directory and since Visual Studio often gets run with escalated privileges, the add-in can get them too. If you use Visual Studio, you should install this patch. *
MS12-022/
KB2651018 -
Important (Microsoft Expression Design): The familiar “opening a file from a share with a special crafted DLL can allow that DLL’s code to be executed” bug is back, this time with the Microsoft Expression Design products. Expression Design users should install this patch when they get a chance.
Other updates
KB2608658 - Update for Windows 2008 R2.
KB2639308 - Allows Windows 7 and 2008 R2 applications to force executable images to use address space layout randomization (ASLR).
“The Usual Suspects”: Updates to the ActiveX killbits, Malicious Software Removal Tool and the Junk Email Filter.
Changed, but not significantly:
•
MS10-058/
KB978886 - Security update for Vista and 2008.
Updates since the last Patch Tuesday
There were no security updates released out-of-band.
Minor items added or updated since the last Patch Tuesday:
KB931125 - Root certification update.
KB947821 - System update readiness tool.
Changed, but not significantly: none.
