This Tuesday Microsoft released their November updates, with a few critical patches to take a look at. The biggest updates involved three vulnerabilities within Internet Explorer, as well as the first updates for all Windows releases, including Windows 8.
The Internet Explorer patch resolves several remote code execution vulnerabilities, whereby just visiting a specially created webpage could potentially gain the same rights as the user. This was possible based on the way the browser was previously handling objects in memory. As a workaround, setting the browser’s security zone settings to high will block ActiveX Controls and Active scripting.
The critical vulnerability in the Windows shell allows for another remote code execution. This would occur if a user browsed to a specially crafted briefcase in Explorer, allowing the attacker to run arbitrary code as the user. In the event that the user has administrative rights, they could gain control of the entire system and from there could begin to change data or account permissions. Within the .NET framework, the remote code execution vulnerabilities resolved needed a user to use a malicious proxy auto configuration file. The attacker would then inject code into the application while it was running. Check the specific bulletin to get the list of software affected by the vulnerabilities, and what the update is rated based on that software.
The last critical vulnerabilities are within the Windows kernel-mode drivers, based on the way they handle objects in memory. If a user opens a specially crafted document or visits a malicious webpage that has TrueType font files embedded, they allow the potential for a remote code execution exploit. All supported releases of Microsoft Windows will have the severity rating of critical for this update.