Today is Patch Tuesday and the first security vulnerability fix from Microsoft for the Surface running Windows RT is out. The bug is in Internet Explorer 10 and affects all other versions of IE on other platforms. Unlike other patches, the Surface version is available only via Windows Update.
Microsoft has issued its first security update for the Surface tablet. MS12-077 is a "Cumulative Security Update for Internet Explorer," a bundle of patches for IE that Microsoft issues on a regular basis.
There are three vulnerabilities fixed in this cumulative update, but the attack vectors for 2 of them are blocked in the default configuration of Surface. Microsoft still recommends that users apply the update as a defense-in-depth measure. For Surface, the update is available only through Windows Update.
The one vulnerability that does affect the Surface as shipped is designated CVE-2012-4787 and titled "Improper Ref Counting Use After Free Vulnerability." This is Microsoft's description:
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
This is a variation on a type of vulnerability known as "user after free."
Microsoft rates the exploitability of vulnerabilities and rates this one as "Exploit code likely." But as a practical matter, any real-world exploits of this vulnerability are likely to be written to target Intel-based systems and would fail on Surface running Windows RT, likely crashing the system.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.