This was announced a week ago, on 13 Nov 2012. However, it is encompasses an unusually wide range of products and services for a single Microsoft security announcement
All is well
No need to fear, as this fixes were incorporated in the most recent round of “patch Tuesday” Windows updates. But it might be interesting to have a look, at such a comprehesive security bulletin, if you haven’t done so already. The most accessible version, as a higher-level summary is posted on the Microsoft Security blog, Nov 2012 release. It included this bright and basic severity chart, and a few others.
Full details are provided by the Microsoft Security Bulletin MS12-075 - Critical: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2761226).
Behind the scenes at the origin
A software company, Documill and the not-so-scary, rather friendly Scary Beasty of Google found the initial, critical causes for concern. In fact they seem to have been working on it since early September. Good for them!
It was first reported to the Chromium project as Windows blue screen and arbitrary code execution with corrupted font file
"Windows crashes with blue screen when opening a web page with a corrupted font file embedded with CSS font-face rule. This unfixed bug in Windows font handling possibly allows execution of code at kernel level."
That does sound scary! The process of discovery, notification, resolution and disclosure involved in remedying a critical security vulnerability is laid out quite clearly in the Chromium security issue thread.
There was an award issued in the amount of $5000 for finding the bug, even though it wasn’t Google’s fault per se
. Since it did affect Chrome, Google decided to offer the award. Note that the bug also affected other browsers, including FireFox and Opera, maybe others. The award process is documented too, which is worth having a look at. It’s relatively straightforward but as always, intriguing to follow the interactions in the thread.
This was included, regarding Google policy on reporting and documenting Chromium security vulnerabilities, insofar as being eligible for “bug discovery awards”:
“Boilerplate text: Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library that may be used by other products.
Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.”