Microsoft Plans Patches for 20 Bugs in December Patch Tuesday

Microsoft plans to patch 20 vulnerabilities in the Windows operating system for both the desktop and the server, Microsoft Office, Internet Explorer, Microsoft Publisher and Windows Media Player.
Microsoft is also apparently patching the flaw that was being exploited by the Duqu Trojan earlier this year, although the Patch Tuesday advisory doesn’t mention it by name.
For its last Patch Tuesday of 2011, Microsoft will release 14 security bulletins, of which three are rated “critical” and will close remote code execution flaws, according to the Microsoft Security Bulletin Advance Notification on Dec. 8. The remaining bulletins are rated “important” and address remote code execution, elevation of privilege and information disclosures flaws in Microsoft Office, Internet Explorer and Windows Media Player.
The critical updates address seven security holes in Windows XP, Vista, Windows 2003 and Windows 2008. While the issues exist to some extent in Windows 7 and Windows 2008, most of the issues are in the older Windows XP, according to Microsoft. The important patches also fixed five bugs in Microsoft Office 2003, 2007 and 2010 and one in Windows Media Player.
“Think the -12 Days of Christmas’: on this Patch Tuesday before Christmas Microsoft gave to me, three critical patches, 11 important ones and a patch for the Duqu vulnerability,” Paul Henry, security and forensic analyst at Lumension, told eWEEK.
The operating system update also fixed the TrueType font parsing vulnerability that allowed malicious code execution that was exploited by the Duqu Trojan. Microsoft also fixed the Secure Socket Layer (SSL) 3.0 and transport layer security (TLS) 1.0 bug that was exploited by the BEAST attack tool that was released over the summer.
The operating system flaws were “especially exciting” as they exist in a wide range of platforms, Alex Horan, senior product manager at Core Security, told eWEEK. An exploit could “worm through all the windows machines present in a network,” he said.
While Microsoft didn’t specifically mention the Duqu Trojan or its advisory from early November disclosing the zero-day vulnerability in its pre-notification announcement, one of the bulletins is likely the “Duqu zero-day patch” because it requires a restart, Marcus Carey, security researcher at Rapid7, told eWEEK. The restart “indicates it’s a kernal level bug that is being patched,” he said, and noted the patch affects all the same operating systems that was listed in the previous security advisory.
The code execution issues in Office would give attackers a fresh set of client side exploit capabilities, according to Horan. These issues “may have a long shelf life” because administrators often delay pushing out these patches to users because they don’t want to cause issues with the users’ ability to work, he said.
While 14 bulletins may “seem like a lot,” there are only three critical patches, which reflects how Microsoft has improved its overall security over the years, according to Henry. The number of “critical” patches Microsoft released for Patch Tuesday over the year has declined dramatically recently, he said. Back in 2006, critical patches accounted for 70 percent of all the security patches released. That number has dropped to just 30 percent in 2011, Henry told eWEEK.