Mobile // Mobile Devices
News
12/11/2012
01:26 PM
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

Microsoft Issues First Surface Security Patch

Today is Patch Tuesday and the first security vulnerability fix from Microsoft for the Surface running Windows RT is out. The bug is in Internet Explorer 10 and affects all other versions of IE on other platforms. Unlike other patches, the Surface version is available only via Windows Update.

Microsoft has issued its first security update for the Surface tablet. MS12-077 is a "Cumulative Security Update for Internet Explorer," a bundle of patches for IE that Microsoft issues on a regular basis.

There are three vulnerabilities fixed in this cumulative update, but the attack vectors for 2 of them are blocked in the default configuration of Surface. Microsoft still recommends that users apply the update as a defense-in-depth measure. For Surface, the update is available only through Windows Update.

The one vulnerability that does affect the Surface as shipped is designated CVE-2012-4787 and titled "Improper Ref Counting Use After Free Vulnerability." This is Microsoft's description:

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
This is a variation on a type of vulnerability known as "user after free."

Microsoft rates the exploitability of vulnerabilities and rates this one as "Exploit code likely." But as a practical matter, any real-world exploits of this vulnerability are likely to be written to target Intel-based systems and would fail on Surface running Windows RT, likely crashing the system.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.