Category Archives: Patches and updates

Patch Tuesday for November 2012

Another month, another Patch Tuesday. As discussed in the advance warning post, this month’s crop consists of six patches with nineteen fixes for Windows (including Windows 8), Office, Internet Explorer and .NET:

Windows users are encouraged to install the critical updates as soon as possible via Microsoft Update.

More details at the Microsoft Security Response Center.

Advance warning for November 2012 Patch Tuesday

It’s that time of the month again. Microsoft has issued its advance warning for this month’s Patch Tuesday. The patches themselves will become available, as usual, on the second Tuesday of the month. That’s November 13, 2012, at approximately 10 a.m. PST.

The patches this month affect Windows, Internet Explorer, Office and the .NET Framework. There are six planned bulletins, with 19 total issues being addressed. Four of the bulletins are rated Critical. For all the details, see the related Technet security bulletin.

As always, Windows users should install these patches as soon as possible on or after November 13.

Adobe Flash security updates

Yesterday, Adobe announced a new version of Flash that includes fixes for several security holes in earlier versions. Anyone who uses Flash to view web-based video, which includes anyone who uses YouTube, should install the latest version of Flash as soon as possible.

The latest version of Flash for Windows is 11.5.502.110. Adobe also made available updates for older versions of Flash that address the same security vulnerabilities, but we recommend updating to the latest version.

A new version of Google Chrome, also announced yesterday, includes these security fixes. A similar patch for Internet Explorer 10 in Windows 8 was made available by Microsoft.

These updates resolve buffer overflow vulnerabilities that could lead to code execution, memory corruption vulnerabilities that could lead to code execution, and a security bypass vulnerability that could lead to code execution.

Service Pack 2 for Windows 7 cancelled

With the pile of post-SP1 updates for Windows 7 growing and no end in sight (at least until 2020), Microsoft has decided to forsake IT workers by cancelling plans for SP2. This means that installing Windows 7 is going to become increasingly tedious: install Windows 7, install SP1, then install 100+ (and growing) patches.

Is this yet another attempt by Microsoft to get IT administrators to throw in the towel and upgrade to Windows 8? Maybe. Luckily, IT workers have plenty of tools available to create new, slipstreamed installation media for Windows 7. That means one unattended install for Windows 7, SP1 and all the updates available at the time the media was created. Microsoft stopped officially supporting slipstreaming in Vista and Windows 7, so the process is a bit more difficult, but it’s both possible and worth the effort.

Critical Patch Update fixes 30 Java security issues

Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.

You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.

Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).

It is unclear whether these updates include fixes for the vulnerabilities reported in late September 2012. Update 2012-Oct-25: Apparently they do not, according to security researcher Adam Gowdiak.