Newer doesn't always mean more secure, especially when it comes to Web browsers. It's a lesson that Microsoft is delivering this month as part of its final Patch Tuesday update of 2012.
In total, Microsoft's December Patch Tuesday security update is fixing 12 vulnerabilities spread across Windows Internet Explorer (IE), Word and Windows Server.
Critical Fixes for IE
At the top of the list is a critical update that fixes three separate vulnerabilities in IE. The IE fixes are cumulative and patch all current versions of Microsoft's browser, though the impact is more severe in IE 9 and 10.
All of the IE fixes involve use-after-free memory vulnerabilities. In a use-after-free condition, memory that has already been legitimately allocated is leveraged for malicious use by an attacker.
"A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted," Microsoft warns in its advisory."The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user."
Andrew Storms, director of security operations, advises users to patch the IE flaws immediately.
"Attackers will be targeting online holiday shoppers with this bug, so patch this before you do anything else," Storms said. "In an odd turn of events, this bug affects all versions of Internet Explorer but is only exploitable on the newer, ‘more secure’ versions; we can be sure that this bug is not a gift Microsoft wanted to receive this holiday season."
In addition to IE, Microsoft is fixing a critical flaw in Microsoft Word that could enable attackers to execute remote code. The vulnerability could be exploited by way of a malformed Rich Text Format (RTF) document.
"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft warns in its advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Another critical flaw being addressed in the December Patch Tuesday update is for a Windows File Handling component that could leave users at risk. According to Microsoft, the vulnerability could allow remote code execution if a user browses to a folder that contains a file or subfolder with a specially crafted name.
Fonts can also be used as a potential attack vector, as this Patch Tuesday reveals. A pair of critical font parsing vulnerabilities are being patched this month, one for OpenType and the other for TrueType fonts.
"The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType or OpenType font files," Microsoft warns in its advisory. "An attacker would have to convince users to visit the website, typically by getting them to click a link in an email message that takes them to the attacker's website."