Microsoft fixed 17 bugs in the Windows operating system, Microsoft Office, Windows Media Player and Internet Explorer. The fixes also cover a zero-day flaw exploited by the Duqu Trojan.
released 13 security bulletins to fix 17 different vulnerabilities as part of
Patch Tuesday update
, according to the advisory released Dec. 8. Three
bulletins were marked critical and the remaining 10 were rated important.
patch is a mixed bag of treats," Andrew Storms, director of security
operations at nCircle Security, told eWEEK
as the only critical issues addressed were a Windows Media drive-by flaw and
the TrueType font parsing issue exploited by the Duqu Trojan.
should prioritize the patch to close the TrueType flaw, as it is a zero-day
vulnerability that was exploited as part
of the Duqu targeted attacks
, Joshua Talbot, security intelligence manager
of Symantec Security Response, told eWEEK
Malicious email attachments exploited the vulnerability to load Duqu onto
targeted systems, according to Talbot.
Symantec generally ranks cumulative updates for Internet Explorer "pretty
high" on the priority list, none of the IE vulnerabilities addressed in
December's patch release was a high-impact issue, according to Talbot. While
still important, other bulletins, such as the DVR-MS memory corruption issue in
Windows Media Player, should take precedence, he said. The DVR-MS memory
corruption flaw "looks pretty simple to exploit" and can result in a
complete system takeover, according to Talbot.
was surprised the IE vulnerability was not rated critical. "I can't
remember the last time that happened," he told eWEEK
, but he believed this was an anomaly and not a sign of IE
becoming less vulnerable.
three bulletins for Microsoft Word, PowerPoint and Excel closed vulnerabilities
that would require users to simply open a file to trigger a malware infection.
Qualys rated them at the same level of criticality as the Windows Media and
TrueType flaw and recommended they be included in the "fast patch
originally said it would be releasing 14 security bulletins in its
prenotification announcement released Dec. 8. The bulletin that was supposed to
close the Secure Sockets Layer (SSL) vulnerability in Apache Web servers that
is being exploited by the BEAST tool was pulled "due to a bad interaction
with a high-profile vendor," Storms said. The last-minute change was an
indicator of the extensive testing Microsoft does on its patches.
been a very long time since Microsoft pulled a bulletin at the last
minute," Storms said, adding, "A bad patch makes for the worst sort
of IT heartburn."
predicted the patch will be available as part of the next Patch Tuesday release
on Jan. 9, and the delay shouldn't be an issue "because it's fairly
difficult to take advantage of this bug."
has issued 99 bulletins in 2011, noted Wolfgang Kandek, CTO of Qualys. "IT
administrators have had a significant amount of work to do each month," he
considering that there are two weeks left in 2011, Microsoft "just made it
through the year without delivering an out-of-band patch," Storms said.
Vulnerabilities also had generally lower severity ratings, he said.
severity issues decreased significantly in 2011 as compared with previous
years, Mike Reavey, senior director at Microsoft Security Response Center,
wrote on the MSRC blog Dec. 13. Only 32 percent of all 2011 bulletins were
rated critical, which was the lowest percentage since 2004, according to
Reavey. The percentage of important vulnerabilities has increased as the low
and moderate patches also shrank.
fact that we're seeing lower percentages of Critical issues and bulletins
year-over-year demonstrates progress made by the product groups in creating
more secure software," Reavey wrote.
company also managed to address reported issues "without resorting"
to out-of-band releases, which can be disruptive for customers, according to
Reavey. The ability to release workarounds and defenses through Microsoft's
Active Protection Program has helped Microsoft stick to the scheduled process,
new, improved risk mitigation technologies in Windows 7 and IE9 just might make
out-of-band Microsoft patches a thing of the past-and that would be the best
holiday gift Microsoft could give," according to Storms.