Establishing Digital Trust: Don't Sacrifice Security for Convenience
The first Patch Tuesday of the Windows 8 era is now out, delivering six bulletins addressing no fewer than 19 vulnerabilities. Not all the updates are Windows 8 related, however.
At the top of the Microsoft patch list for November are three critical flaws that are being patched in Internet Explorer. According to Microsoft, the flaws were privately reported and do not affect IE 10, the browser that is included with Windows 8.
Wolfgang Kandek, CTO of Qualys, noted that it's a good thing that Microsoft is patching IE quickly even though the bugs were privately reported. "I don't think we can trust much that bugs stay private for a long time," he said.
The other items on Microsoft's critical fix list for November all affect Windows 8. They include remote code execution flaws in Windows Shell, the .NET framework and Windows Kernel-Mode drivers.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Marcus Carey, security researcher at Rapid7, said the Windows Kernel-mode flaws (MS12-075) are of particular note.
"MS12-075 patches a vulnerability that could allow a user to be compromised by visiting a malicious webpage using TrueType font files," Carey said. "This means MS12-075 can work across multiple versions of Internet Explorer."
Overall, Windows 8 is likely to continue to be a core part of Windows security updates even though the system is brand new and offers stronger security than its predecessors.
"While Windows 8 certainly has received lots of stability and security improvements, we will continue to see problems in software components," Kandek said. "Some will be older issues like the kernel vulnerability that is an inherited code issue, while others like .NET are an additional component that does its work independent from the operating system."
Andrew Storms, director of security operations at nCircle, noted that no one should really be surprised that Windows 8 is being updated for security flaws already.
"Much of the core operating system is reused from version to version, even in new releases, and all software has bugs," Storms said. "These factors, combined with security researchers that love to find and report bugs in the latest software version, are reasons for the number of bulletins for Windows 8."
Overall, Qualys's Kandek is optimistic about the security improvements in Windows 8, saying they should make it a more secure version of Windows for users.
"I particularly like the UEFI Secure Boot," Kandek said. "That's the idea that you can verify in the BIOS that the user is loading an operating system that is signed correctly."
In Kandek's view, Windows 8 Secure Boot will make it much harder for rootkits to infect PC users. "We're just raising the bar here I think," he said.
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network.