The three critical bulletins address remote code execution vulnerabilities in Windows, Internet Explorer, and Office, but two of the important bulletins, which are for Office, also address remote code execution vulnerabilities, according to the notification.
“It looks as if all versions of Windows, Internet Explorer and Office are affected by at least one of the bulletins,” Wolfgang Kandek, CTO of Qualys, wrote in a Thursday blog post. “Bulletin [number three] for Microsoft Word is particularly interesting – it is rated critical by Microsoft, which normally does not happen when normal file based vulnerabilities are being addressed.”
Kandek went on to explain that a “critical rating is only given if the vulnerability can be triggered without user interaction, which happens fairly rarely, typically when the Outlook preview can be tricked to run the malicious code automatically.”
The first bulletin – deemed important – addresses an elevation of privilege vulnerability in Microsoft Exchange that was presumably held back from November's Patch Tuesday due to quality issues, Ross Barrett, senior manager of security engineering at Rapid7, said in a Thursday statement emailed to SCMagazine.com.
Chris Goettl, product manager at Shavlik, indicated in a Thursday statement emailed to SCMagazine.com that he is noticing a trend.
“With all of the changes at Microsoft recently, this practice of holding a patch could become a pattern,” Goettl said. “It is likely that with less important patches, these will be released on a subsequent Patch Tuesday. However, for more important patches that aren¹t ready for Patch Tuesday, they will likely be released later on in the month as they become ready for release.”
The final bulletin addresses an information disclosure vulnerability in Windows and is considered important, according to the notification.