While most of the IT world is waiting for more news around the Sony data breach (we know very little for sure see Kim Zettner’s piece in Wired for a good and level headed overview), things are continuing to move in our information security realm. More specifically Patch Tuesday for December is coming along with seven patches from Microsoft and probably two from Adobe.
Microsoft is delivering patches for five Remote Code Execution (RCE) vulnerabilities, one bulletin for Windows, one for Internet Explorer and three for Microsoft Office. It looks as if all versions of Windows, Internet Explorer and Office are affected by at least one of the bulletins. Bulletin #3 for Microsoft Word is particularly interesting – it is rated critical by Microsoft, which normally does not happen when normal file based vulnerabilities are being addressed. A critical rating is only given if the vulnerability can be triggered without user interaction, which happens fairly rarely, typically when the Outlook preview can be tricked to run the malicious code automatically. Note that bulletin #3 not only affects Word 2007, 2010 and 2013 but also Word 2011 for Mac OS X.
Adobe has notified of a new version of Adobe Reader and Acrobat in APSB14-28. Both versions 10 and 11 on Windows and Mac OS X are affected by this critical vulnerability. In addition we also expect a new version of Flash as Adobe has had monthly release for Flash in every month in 2014 so far.
Tune in here next week for more information on this normal sized, last Patch Tuesday of the year.