Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cloud
    • Cybersecurity
    • Networking

    Microsoft Patches 17 Bugs in December Patch Tuesday

    By
    Fahmida Y. Rashid
    -
    December 13, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Microsoft released 13 security bulletins to fix 17 different vulnerabilities as part of its December Patch Tuesday update, according to the advisory released Dec. 8. Three bulletins were marked critical and the remaining 10 were rated important.

      “December’s patch is a mixed bag of treats,” Andrew Storms, director of security operations at nCircle Security, told eWEEK, as the only critical issues addressed were a Windows Media drive-by flaw and the TrueType font parsing issue exploited by the Duqu Trojan.

      Organizations should prioritize the patch to close the TrueType flaw, as it is a zero-day vulnerability that was exploited as part of the Duqu targeted attacks, Joshua Talbot, security intelligence manager of Symantec Security Response, told eWEEK. Malicious email attachments exploited the vulnerability to load Duqu onto targeted systems, according to Talbot.

      While Symantec generally ranks cumulative updates for Internet Explorer “pretty high” on the priority list, none of the IE vulnerabilities addressed in December’s patch release was a high-impact issue, according to Talbot. While still important, other bulletins, such as the DVR-MS memory corruption issue in Windows Media Player, should take precedence, he said. The DVR-MS memory corruption flaw “looks pretty simple to exploit” and can result in a complete system takeover, according to Talbot.

      Storms was surprised the IE vulnerability was not rated critical. “I can’t remember the last time that happened,” he told eWEEK, but he believed this was an anomaly and not a sign of IE becoming less vulnerable.

      The three bulletins for Microsoft Word, PowerPoint and Excel closed vulnerabilities that would require users to simply open a file to trigger a malware infection. Qualys rated them at the same level of criticality as the Windows Media and TrueType flaw and recommended they be included in the “fast patch cycle.”

      Microsoft originally said it would be releasing 14 security bulletins in its prenotification announcement released Dec. 8. The bulletin that was supposed to close the Secure Sockets Layer (SSL) vulnerability in Apache Web servers that is being exploited by the BEAST tool was pulled “due to a bad interaction with a high-profile vendor,” Storms said. The last-minute change was an indicator of the extensive testing Microsoft does on its patches.

      “It’s been a very long time since Microsoft pulled a bulletin at the last minute,” Storms said, adding, “A bad patch makes for the worst sort of IT heartburn.”

      Storms predicted the patch will be available as part of the next Patch Tuesday release on Jan. 9, and the delay shouldn’t be an issue “because it’s fairly difficult to take advantage of this bug.”

      Microsoft has issued 99 bulletins in 2011, noted Wolfgang Kandek, CTO of Qualys. “IT administrators have had a significant amount of work to do each month,” he said.

      Even considering that there are two weeks left in 2011, Microsoft “just made it through the year without delivering an out-of-band patch,” Storms said. Vulnerabilities also had generally lower severity ratings, he said.

      Critical severity issues decreased significantly in 2011 as compared with previous years, Mike Reavey, senior director at Microsoft Security Response Center, wrote on the MSRC blog Dec. 13. Only 32 percent of all 2011 bulletins were rated critical, which was the lowest percentage since 2004, according to Reavey. The percentage of important vulnerabilities has increased as the low and moderate patches also shrank.

      “The fact that we’re seeing lower percentages of Critical issues and bulletins year-over-year demonstrates progress made by the product groups in creating more secure software,” Reavey wrote.

      The company also managed to address reported issues “without resorting” to out-of-band releases, which can be disruptive for customers, according to Reavey. The ability to release workarounds and defenses through Microsoft’s Active Protection Program has helped Microsoft stick to the scheduled process, he said.

      “The new, improved risk mitigation technologies in Windows 7 and IE9 just might make out-of-band Microsoft patches a thing of the past-and that would be the best holiday gift Microsoft could give,” according to Storms.

      Fahmida Y. Rashid
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×