Some Holiday Cheer from Microsoft

- December 13th, 2011

 

Think the 12 Days of Christmas jingle:
On this Patch Tuesday before Christmas ….. Microsoft Gave to me ….. 3 critical patches… 10 important ones…and a patch for the Duqu vulnerability…

We initially expected 14 bulletins for this December Patch Tuesday however the much awaited fix for “The Beast” SSL issue was not released today after all. Given the extensive regression testing Microsoft does across various configurations, my assumption is that additional testing is likely required for an issues as complex as this.

Microsoft ended the year with 13 December bulletins and fortunately for all of us, that includes the much needed Duqu patch.

While at first glance 13 bulletins may seem like a large number, only 3 are critical. And while  IT teams will see a needed break on Microsoft vulnerabilities this month, concerns over other, third-party applications should keep them busy through the end of the year.

December Patch Tuesday details:

  • 6 Windows vulnerabilities
  • 1 IE vulnerability
  • 5 Office vulnerabilities
  • 1 Windows Media Player vulnerability

2011 in review

Considering the previous years of Microsoft patches this is not a bad way to end the year.  Microsoft released 17 bulletins on the 2010 December Patch Tuesday. In total, 2011 saw 99 bulletins – down from 2010 when we saw 106.  Clearly Microsoft has dramatically improved its software processes and this is reflected in the continued decline of vulnerabilities considered critical in the current codebase. The numbers speak volumes on the improvements from Microsoft – in 2006 70% of security patches were critical and in 2011 critical vulnerabilities fell to just 30%. In an otherwise volatile threat landscape, this is good news for everyone.

Outside of Microsoft, IT staff is dealing with the Zero Day Adobe vulnerability as previously discussed on the Lumension Blog.  Adobe is only releasing a patch for the Windows versions of the issue because that is the primary platform under attack. A fix for Unix and Mac users will not be available from Adobe until January 12, 2012.  In all, Adobe released 121 bulletins this year, also down from last year.

Another trend worth mentioning is the increased use of Java as an emerging leading threat vector. As with the Adobe issues of the past few years, hackers are taking advantage of users’ failure to patch out dated versions. A recent article in Dark Reading noted that “… since the third quarter of 2010, Microsoft has detected or blocked some 6.9 million exploit attempts on Java each quarter, with a total of 27.5 million attempted exploits during that 12-month period”. 

Critical

MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

MS11-090
Cumulative Security Update for ActiveX Kill Bits

MS11-092
Vulnerability in Windows Media Could Allow Remote Code Execution

Important

MS11-088
Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege

MS11-089
Vulnerabilities in Microsoft Office could allow for Remote Code Execution

MS11-091
Vulnerabilities in Microsoft Publisher could allow Remote Code Execution

MS11-093
Vulnerability in Microsoft Windows OLE32 Could Allow Remote Code Execution

MS11-094
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution

MS11-095
Vulnerability in Active Directory Could Allow Remote Code Execution

MS11-096
Vulnerability in Microsoft Excel Could Allow Remote Code Execution

MS11-097
Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege

MS11-098
Vulnerability in Windows Kernel Could Allow Elevation of Privilege

MS11-099
Cumulative Security Update for Internet Explorer

 


About the Author

, is one of the world’s foremost global information security and computer forensic experts in the industry. With more than 20 years of experience, Henry is a seasoned speaker, author and contributor for some of the leading security events and publications.

Follow Paul on Twitter @phenrycissp





Comments

Leave a Reply


IT Secured. Success Optimized.™

Contact Lumension | Privacy Policy

Comments


Share

blog.lumension.com