Microsoft Patches 17 Bugs in December Patch Tuesday

Microsoft released 13 security bulletins to fix 17 different vulnerabilities as part of its December Patch Tuesday update, according to the advisory released Dec. 8. Three bulletins were marked critical and the remaining 10 were rated important.

"December's patch is a mixed bag of treats," Andrew Storms, director of security operations at nCircle Security, told eWEEK, as the only critical issues addressed were a Windows Media drive-by flaw and the TrueType font parsing issue exploited by the Duqu Trojan.

Organizations should prioritize the patch to close the TrueType flaw, as it is a zero-day vulnerability that was exploited as part of the Duqu targeted attacks, Joshua Talbot, security intelligence manager of Symantec Security Response, told eWEEK. Malicious email attachments exploited the vulnerability to load Duqu onto targeted systems, according to Talbot.

While Symantec generally ranks cumulative updates for Internet Explorer "pretty high" on the priority list, none of the IE vulnerabilities addressed in December's patch release was a high-impact issue, according to Talbot. While still important, other bulletins, such as the DVR-MS memory corruption issue in Windows Media Player, should take precedence, he said. The DVR-MS memory corruption flaw "looks pretty simple to exploit" and can result in a complete system takeover, according to Talbot.

Storms was surprised the IE vulnerability was not rated critical. "I can't remember the last time that happened," he told eWEEK, but he believed this was an anomaly and not a sign of IE becoming less vulnerable.

The three bulletins for Microsoft Word, PowerPoint and Excel closed vulnerabilities that would require users to simply open a file to trigger a malware infection. Qualys rated them at the same level of criticality as the Windows Media and TrueType flaw and recommended they be included in the "fast patch cycle."

Microsoft originally said it would be releasing 14 security bulletins in its prenotification announcement released Dec. 8. The bulletin that was supposed to close the Secure Sockets Layer (SSL) vulnerability in Apache Web servers that is being exploited by the BEAST tool was pulled "due to a bad interaction with a high-profile vendor," Storms said. The last-minute change was an indicator of the extensive testing Microsoft does on its patches.

"It's been a very long time since Microsoft pulled a bulletin at the last minute," Storms said, adding, "A bad patch makes for the worst sort of IT heartburn."

Storms predicted the patch will be available as part of the next Patch Tuesday release on Jan. 9, and the delay shouldn't be an issue "because it's fairly difficult to take advantage of this bug."

Microsoft has issued 99 bulletins in 2011, noted Wolfgang Kandek, CTO of Qualys. "IT administrators have had a significant amount of work to do each month," he said.

Even considering that there are two weeks left in 2011, Microsoft "just made it through the year without delivering an out-of-band patch," Storms said. Vulnerabilities also had generally lower severity ratings, he said.

Critical severity issues decreased significantly in 2011 as compared with previous years, Mike Reavey, senior director at Microsoft Security Response Center, wrote on the MSRC blog Dec. 13. Only 32 percent of all 2011 bulletins were rated critical, which was the lowest percentage since 2004, according to Reavey. The percentage of important vulnerabilities has increased as the low and moderate patches also shrank.

"The fact that we’re seeing lower percentages of Critical issues and bulletins year-over-year demonstrates progress made by the product groups in creating more secure software," Reavey wrote.

The company also managed to address reported issues "without resorting" to out-of-band releases, which can be disruptive for customers, according to Reavey. The ability to release workarounds and defenses through Microsoft's Active Protection Program has helped Microsoft stick to the scheduled process, he said.

"The new, improved risk mitigation technologies in Windows 7 and IE9 just might make out-of-band Microsoft patches a thing of the past—and that would be the best holiday gift Microsoft could give,” according to Storms.