In one of the more surprising Patch Tuesdays in recent memory (not including December’s, because they are usually light), we have only one “critical” bulletin, and it is for a service (Remote Desktop) that isn’t enabled on most systems. In addition, there are no significant out-of-band items released. And in the biggest shock of them all, Microsoft Office does not have any security patches this month.
Editor’s Note: Microsoft is having technical trouble with regard to TechNet links (MS12-0XX). We are operating on the belief that eventually Microsoft will fix the links below. In the meantime, click the Sign Out link on TechNet to get the bulletin page to load. The Knowledge Base article KB2608658 is not working at the point of publication, but all the other KBs are working as linked.
MS12-018/KB2641653 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): Locally logged-on users can run a malicious application to exploit a vulnerability in kernel mode drivers and gain administrative rights. Install this patch on your usual cycle.
MS12-019/KB2665364 - Moderate (Vista, W7, 2008, 2008 R2): An issue with DirectWrite can allow an Instant Messenger contact to send a special Unicode sequence to perform a denial-of-service attack. This patch can wait until your normal patch day.
MS12-020/KB2671387 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): This patches a pair of vulnerabilities in the Remote Desktop Protocol (RDP) system, one of which can be used to perform remote code execution attacks against systems that have RDP enabled. Install this patch immediately on systems that allow RDP connections.
MS12-021/KB2651019 - Important (Visual Studio 2008, Visual Studio 2010): Attackers can place malicious add-ins into Visual Studio’s add-in directory, and since Visual Studio often gets run with escalated privileges, the add-in can get them too. If you use Visual Studio, you should install this patch. *
MS12-022/KB2651018 - Important (Microsoft Expression Design): The familiar “opening a file from a share with a special crafted DLL can allow that DLL’s code to be executed” bug is back, this time with the Microsoft Expression Design products. Expression Design users should install this patch when they get a chance.
Keep up will all future Microsoft Patch Tuesdays by automatically signing up for our Windows Desktop Report newsletter!
KB2608658 - Update for Windows 2008 R2.
KB2639308 - Allows Windows 7 and 2008 R2 applications to force executable images to use address space layout randomization (ASLR).
Changed, but not significantly:
Updates since the last Patch Tuesday
There were no security updates released out-of-band.
Minor items added or updated since the last Patch Tuesday:
KB931125 - Root certification update.
KB947821 - System update readiness tool.
Changed, but not significantly: none.