Plenty is happening on the Microsoft patch management front. First, Adobe agreed to sync up its patch release cycles with Microsoft’s on the second Tuesday of every month, moving away from quarterly releases. And now on Tuesday, Microsoft will release its first security updates since the release of Windows 8.
Tuesday’s updates include patches for Windows 8 and Windows RT, the operating system used on the new Surface tablets, that the company said will fix critical remote execution vulnerabilities.
IT managers can expect six bulletins addressing 19 vulnerabilities on Tuesday, four rated critical by Microsoft, including one addressing remote execution bugs in Internet Explorer 9. Two bulletins rated important by Microsoft will also be issued, one for Microsoft Office and another in Windows.
Windows 8 was released Oct. 26, and by Halloween researchers at VUPEN had found the first zero-day vulnerability and written an exploit for the new OS as well as Internet Explorer 10. No details were publicly disclosed and CEO Chaouki Bekrar said the technical details and protective recommendations would be shared only with VUPEN customers.
The exploit, Bekrar said, is a sandbox bypass for IE 10 and beats security mitigations in Windows 8, including anti-return oriented programming protection, and ASLR and DEP, which help protect against memory corruption flaws such as buffer overflows.
Adobe, meanwhile, pushed through out-of-band patches for seven Flash Player vulnerabilities that repaired bugs leading to system crashes or remote code execution. Adobe said there are no exploits in the wild for any of the vulnerabilities.
And today, Adobe is dealing with an Adobe Reader zero-day sandbox bypass discovered in an underground market selling for upwards of $50,000, according to a Russian security company, Group-IB.