Today is Patch Tuesday and the first security vulnerability fix from Microsoft for the Surface running Windows RT is out. The bug is in Internet Explorer 10 and affects all other versions of IE on other platforms. Unlike other patches, the Surface version is available only via Windows Update.
Microsoft has issued its first security update for the Surface tablet. MS12-077 is a "Cumulative Security Update for Internet Explorer," a bundle of patches for IE that Microsoft issues on a regular basis.
There are three vulnerabilities fixed in this cumulative update, but the attack vectors for 2 of them are blocked in the default configuration of Surface. Microsoft still recommends that users apply the update as a defense-in-depth measure. For Surface, the update is available only through Windows Update.
The one vulnerability that does affect the Surface as shipped is designated CVE-2012-4787 and titled "Improper Ref Counting Use After Free Vulnerability." This is Microsoft's description:
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
This is a variation on a type of vulnerability known as "user after free."
Microsoft rates the exploitability of vulnerabilities and rates this one as "Exploit code likely." But as a practical matter, any real-world exploits of this vulnerability are likely to be written to target Intel-based systems and would fail on Surface running Windows RT, likely crashing the system.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of October 9, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."