Last week, Microsoft announced it would release eight security bulletins, including three labeled as "critical", for various software programs, including most versions of Windows. Those patches were released on schedule on Tuesday as part of Microsofts monthly "Patch Tuesday" event.
However, Microsoft released two more security related patches on Tuesday as well, outside the eight bulletins that are available via Microsofts Automatic Update service. The two unannounced new patches are optional downloads.
The first is described in Microsofts security bulletin as a way to restrict the use of certificates with MD5 hashes. PC World reports that a team of researchers found way back in 2008 that an exploit in MD5 could be used to generate a rogue CA certificate that all of the web browsers of that time would trust. Since then, MD5-based certificates have been phased out but there might be a few still in use out there.
In its security bulletin Microsoft states that its new optional security patch supports Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT. Companies can go ahead and download the patch now to see if it works on their systems. Microsoft plans to push this update via the Automatic Download service in February 2014.
The other security patch has what Microsoft calls "additional defense-in-depth measures for Remote Desktop Protocol Network Level Authentication." Again, users who want this update can download it from Microsofts site, which supports Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The patch does not yet support Windows 8, Windows RT or Windows Server 2012.
Microsoft also revealed the full details of the eight previously announced security bulletins, which included a "critical" one, MS13-059, that fixed 11 privately disclosed issues that affect all versions of Internet Explorer. Another critical bulletin, MS13-060, was released specifically for Windows XP and Windows Server 2003 that plugs a hole that, if left unchecked, would have allowed for a "remote code execution if a customer views a specially-crafted document or web page." Of course, Microsoft will shut down all security updates for Windows XP less than eight months from now.
Finally, two previously released bulletins from Microsoft, MS13-052 and MS13-057, are available to download again, because of some application compatibly issues that were found after the first versions were released.