Microsoft has issued its first security update for the Surface tablet. MS12-077 is a "Cumulative Security Update for Internet Explorer," a bundle of patches for IE that Microsoft issues on a regular basis.
There are three vulnerabilities fixed in this cumulative update, but the attack vectors for 2 of them are blocked in the default configuration of Surface. Microsoft still recommends that users apply the update as a defense-in-depth measure. For Surface, the update is available only through Windows Update.
The one vulnerability that does affect the Surface as shipped is designated CVE-2012-4787 and titled "Improper Ref Counting Use After Free Vulnerability." This is Microsoft's description:
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.This is a variation on a type of vulnerability known as "user after free."
Microsoft rates the exploitability of vulnerabilities and rates this one as "Exploit code likely." But as a practical matter, any real-world exploits of this vulnerability are likely to be written to target Intel-based systems and would fail on Surface running Windows RT, likely crashing the system.