HEAT Security Blog

Some Holiday Cheer from Microsoft

Think the 12 Days of Christmas jingle:
On this Patch Tuesday before Christmas ….. Microsoft Gave to me ….. 3 critical patches… 10 important ones…and a patch for the Duqu vulnerability…

We initially expected 14 bulletins for this December Patch Tuesday however the much awaited fix for “The Beast” SSL issue was not released today after all. Given the extensive regression testing Microsoft does across various configurations, my assumption is that additional testing is likely required for an issues as complex as this.

Microsoft ended the year with 13 December bulletins and fortunately for all of us, that includes the much needed Duqu patch.

While at first glance 13 bulletins may seem like a large number, only 3 are critical. And while  IT teams will see a needed break on Microsoft vulnerabilities this month, concerns over other, third-party applications should keep them busy through the end of the year.

December Patch Tuesday details:

  • 6 Windows vulnerabilities
  • 1 IE vulnerability
  • 5 Office vulnerabilities
  • 1 Windows Media Player vulnerability

2011 in review

Considering the previous years of Microsoft patches this is not a bad way to end the year.  Microsoft released 17 bulletins on the 2010 December Patch Tuesday. In total, 2011 saw 99 bulletins – down from 2010 when we saw 106.  Clearly Microsoft has dramatically improved its software processes and this is reflected in the continued decline of vulnerabilities considered critical in the current codebase. The numbers speak volumes on the improvements from Microsoft – in 2006 70% of security patches were critical and in 2011 critical vulnerabilities fell to just 30%. In an otherwise volatile threat landscape, this is good news for everyone.

Outside of Microsoft, IT staff is dealing with the Zero Day Adobe vulnerability as previously discussed on the Lumension Blog.  Adobe is only releasing a patch for the Windows versions of the issue because that is the primary platform under attack. A fix for Unix and Mac users will not be available from Adobe until January 12, 2012.  In all, Adobe released 121 bulletins this year, also down from last year.

Another trend worth mentioning is the increased use of Java as an emerging leading threat vector. As with the Adobe issues of the past few years, hackers are taking advantage of users’ failure to patch out dated versions. A recent article in Dark Reading noted that “… since the third quarter of 2010, Microsoft has detected or blocked some 6.9 million exploit attempts on Java each quarter, with a total of 27.5 million attempted exploits during that 12-month period”. 


Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

Cumulative Security Update for ActiveX Kill Bits

Vulnerability in Windows Media Could Allow Remote Code Execution


Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege

Vulnerabilities in Microsoft Office could allow for Remote Code Execution

Vulnerabilities in Microsoft Publisher could allow Remote Code Execution

Vulnerability in Microsoft Windows OLE32 Could Allow Remote Code Execution

Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution

Vulnerability in Active Directory Could Allow Remote Code Execution

Vulnerability in Microsoft Excel Could Allow Remote Code Execution

Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege

Vulnerability in Windows Kernel Could Allow Elevation of Privilege

Cumulative Security Update for Internet Explorer