Issues headlining the latest Patch Tuesday began with MS11-087, a critical bulletin that targeted the infamous Duqu Trojan accused of exploiting a kernel-level vulnerability in Windows. According to Microsoft, this specific problem was detected as being part of the Win32k TrueType font parsing engine and is triggered by a user visiting a webpage that embeds TrueType font files. Opening a malicious document created to exploit the vulnerability could trigger the problem as well. Fixing the vulnerability does require a restart, but leaving it unpatched leaves the door open for remote code execution.
The next issue deemed critical was covered by Microsoft’s MS11-090 bulletin and involved a Windows vulnerability that permitted remote code execution to occur once Internet Explorer users viewed malicious webpages. The bulletin also offered kill bits for multiple third-party ActiveX controls. ActiveX gives third-party developers the ability to use Internet Explorer processes, but has had its share of problems in the past. ActiveX’s control-based problems have been on the decline as of late, yet still persist, causing Microsoft to release such fixes every two or three months, according to Jason Miller of VMware Inc. Malicious code execution on ActiveX errors has also been diminished thanks to Microsoft’s implementation of a data execution prevention feature in Internet Explorer 8.
The third and final critical update included in Patch Tuesday for December, MS11-092, fixed a vulnerability found in Windows Media Center and Windows Media Player. Microsoft said the vulnerability allows remote code execution to occur should a user open a .dvr-ms, or Digital Video Recording file.
As for ranking the three critical updates in terms of urgency, a Microsoft blog post on the matter listed MS11-087 and MS11-092 as top priority, with the most emphasis being placed on the Duqu patch. Miller commented, however, that the Windows Media Player bulletin, MS11-092, should not cause too much concern, particularly due to its file format. He noted that video files as email attachments are not too common, unlike Microsoft Word documents that seem to make the rounds.
The highlight of the remaining ten bulletins, all of which are listed under the “important” label, is MS11-089. It targets Microsoft Office and the possibility of remote code execution in the event that a user opens a malicious Word file. The bulletin’s status as important is questionable to some researchers who believe it should be listed as critical since Microsoft Office is such a common attack vector. Total Defense’s director of threat research Don DeBolt said: “This could be considered critical because many of the targeted attacks today leverage an email with an attachment that is most likely going to get opened and will be an Office document. Attackers are going to definitely leverage any exploit they can find in Microsoft Office Suites to deploy targeted attacks.”
While MS11-089 may require a restart, three important bulletins definitely require one, beginning with MS11-097, which targets a hole in the Windows Client/Server Runtime Subsystem. MS11-098, which covers Windows Kernel, and MS11-099, which addresses Internet Explorer security, are the other two.
The remaining important bulletins may require a restart. They include:
• MS11-088 – Microsoft Office IME (Chinese)
• MS11-091 – Microsoft Publisher
• MS11-093 – Microsoft XP and Windows Server 2003
• MS11-094 – Microsoft PowerPoint
• MS11-095 – Active Directory
• MS11-096 – Microsoft Excel
DeBolt noted that ten of the bulletins could result in remote code execution, while the other three, if left unpatched, could permit an elevation of privilege.
December’s Patch Tuesday would have been bigger, but Microsoft decided to scrap bulletin number 14 prior to the official release date. The reason for the omission is that the bulletin had a perceived quality issue. More specifically, Microsoft’s blog post said that the company’s researchers “discovered an apps-compatibility issue between one bulletin-candidate and a major third-party vendor.” Microsoft added that it prefers to hold a bulletin back rather than ship it to avoid any quality issues for its users, and that it is working with the third-party vendor to correct any problems.
The 13 bulletins for December bring the Patch Tuesday total for the year to 99. Such a number of bulletins obviously kept IT administrators busy over the year, but the overall severity of the issues decreased over previous years. Mike Reavey, senior director of Microsoft’s Security Response Center, noted that only 32 percent of 2011 bulletins were critical, the lowest level since 2004. The progress is definitely positive, even though continuous work must be done to make software more secure.
For more on this topic, visit http://searchsecurity.techtarget.com/news/2240112481/December-2011-Patch-Tuesday-sees-13-Microsoft-bulletins-Duqu-patch