Windows 8 hasn't even been on sale for a month yet but is already the recipient of three critical security updates via Microsoft's monthly Patch Tuesday security bulletins, each of which will block flaws that allow remote execution of code on targeted machines.
That means flaws in the operating system can be exploited by an attacker without the user of the machine executing a program or opening a document.
While the new operating system has been designed to be significantly more secure than its predecessors, it still contains legacy code from earlier operating systems, which may contribute to the problem, says Marcus Carey, a security researcher at Rapid 7.
Windows Server 2012 - another recent new Microsoft release - falls prey to the same vulnerabilities, according to the advanced notification the company issued about its November bulletins, which become available Tuesday.
"This may come as a surprise to many who expected that Windows 8 and Windows Server 2012 to be much more secure than legacy versions," Carey says in a written statement. "The truth is that Microsoft and other vendors have significant technical debt in their code base which results in security issues." Technical debt refers to outdated legacy code and in a security context it means vulnerable code.
In all there will be six security bulletins this month, four of them critical. Besides the three affecting Windows 8 and other Windows platforms, the fourth affects Internet Explorer 9 and could enable a man-in-the-middle attack leading to remote code execution. "Nothing is under active attack; however, this is a high priority update and should be considered the highest priority for those running Windows 7 or Vista," says Paul Henry, a security and forensic analyst with Lumension.
One of the critical bulletins deals with a vulnerability that exposes a system to remote code execution via the way the operating system kernel is used to render font types. Specially crafted fonts embedded in Web pages, for example, can generate exploits when they are rendered. Known as Windows True Type font parsing, these exploits have been described by US-CERT as part of Duqu malicious software.
Possible exploits include complete system compromise, installation of programs, viewing, changing, or deleting data, or the creation of new system accounts with full privileges, US-CERT says.