December 2011 Patch Tuesday sees 13 Microsoft bulletins, Duqu patch

Hillary O'Rourke, Contributor

Microsoft is leaving 2011 with a bang, issuing not just 13 security bulletins in its December 2011 Patch Tuesday but in addition providing the much anticipated Duqu patch.

The software giant addressed the kernel-level Windows vulnerability being exploited by the Duqu Trojan with a “critical” bulletin, MS11-087. The vulnerability is located within the Win32k TrueType font-parsing engine if a user opens a specially crafted document or visits a malicious Web content that embeds the TrueType font files, Microsoft said. The flaw requires a restart and if left unpatched, could allow remote code execution.

Two other bulletins were rated as “critical:” MS11-090 and MS11-092. The privately reported MS11-090 resolves a vulnerability in Microsoft Windows which can allow remote code execution if a user views a malicious Site in Internet Explorer. The bulletin also includes kill bits for four third-party ActiveX controls.

“Microsoft releases this every two or three months,” said Jason Miller, manager of analysis and development at Palo Alto, Calif.-based virtualization vendor VMware Inc. While the selection of ActiveX control flaws was in decline, the technology, which enables third-party developers to make use of Internet Explorer processes like rich media in applications, have been problematic. The info Execution Prevention feature in Internet Explorer 8 has helped reduce malicious code from executing on ActiveX errors.  

MS11-092, also rated “critical,” affects Windows Media Player and Windows Media Center. In accordance with the bulletin, the vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. However, Microsoft said an attack can only achieve success if a user opens the file.

Attackers are going to definitely leverage any exploit they could find in Microsoft Office Suites to deploy targeted attacks

Don DeBolt, director of threat research, Total Defense

In a blog post, Microsoft researchers said MS11-092, in addition to the Duqu patch, should first be considering. However, Miller isn't too worried in regards to the Media Player bulletin. “I'm not overly occupied with it a result of file format,” explained Miller. “Word documents are typical attachments that come through your email… video isn't.”

The remaining 10 bulletins are rated as “important.” MS11-089 affects Microsoft Office and will also allow remote code execution if a user opens a specially crafted Word file. Don DeBolt, director of threat research at Islandia, NY-based security provider Total Defense, said some researchers may consider MS11-089 a critical update, because Microsoft Office is a standard attack vector. “This may very well be considered critical because most of the targeted attacks today leverage an email with an attachment it is almost definitely going to get opened and should be an Office document,” he explained. “Attackers are going to definitely leverage any exploit they are able to find in Microsoft Office Suites to deploy targeted attacks.”

Seven of the $64000 bulletins may require a restart, including MS11-089. MS11-088 affects Microsoft Office IME (Chinese), MS11-091 deals with Microsoft Publisher, MS11-093 fixes a vulnerability in an OLE object in Microsoft XP and Windows Server 2003, MS11-094 affects Microsoft PowerPoint, MS11-095 deals with Active Directory, and MS11-096 fixes a flaw in Microsoft Excel.

The remaining three important bulletins do require a restart: MS11-097 fixes a vulnerability in Windows Client/Server Run-time Subsystem; MS11-098 affects Windows Kernel; and MS11-099 is a safety update for Internet Explorer.

“Ten of the bulletins could allow remote code execution,” said DeBolt, explaining that that's a significant amount of that sort. The alternative three vulnerabilities could allow an elevation of privilege if left unpatched.

Bulletin delayed

Although the development notice that Microsoft released on Thursday said there will be 14 bulletins within the year's last Patch Tuesday, only 13 were addressed. “There was a high quality issue with one among the bulletins,” said VMware's Miller. “This is a superb thing that they did not issue a patch.”

According to a Microsoft blog post, researchers “discovered an apps-compatibility issue between one bulletin-candidate and a significant third-party vendor.” The software giant is operating with the vendor to handle the problem, adding they'd “much rather withdraw a possible bulletin than ship something that could inconvenience customers.”

Dig Deeper

• Folks that read this also read...