Microsoft slims final patch Tuesday of 2011 to 13 patches from proposed 14

Microsoft released 13 bulletins on its final Patch Tuesday of 2011 with three rated as critical and 10 as ‘important'.

Despite initially stating that it can release 14 patches, Microsoft Trustworthy Computing spokesperson Angela Gunn said that once discovering an apps-compatibility issue between one bulletin candidate and a big third-party vendor, it decided to withdraw the patch.

“We're currently working with that vendor to handle the difficulty on their platform, and then we'll issue the bulletin as appropriate. As ever, we'd much rather withdraw a possible bulletin than ship something that would inconvenience customers, however limited that inconvenience in scope,” said Gunn.

“The issue addressed in that bulletin, which we've been monitoring and against which we've seen no active attacks within the wild, was discussed in Security Advisory 2588513.”

Wolfgang Kandek, CTO at Qualys, said: “The original anticipated 14th bulletin was for the BEAST attack, but failed to make it in time for the vacations owing to a final minute software incompatibility uncovered during third party testing. Still, with with reference to 100 bulletins per year, IT administrators have had an important amount of labor to do every month.

“The planned MS11-100 (which can now be MS12-001) is a fix for the opposite vulnerability that has POC code within the wild. The BEAST attack was disclosed at Ekoparty 2011 in Buenos Aires and affects all web servers that support SSLv3/TLSv1 encryption. We're hopeful that you've already applied the currently recommended workaround in Microsoft's advisory KB2588513, that is to configure the internet server to favor the non affected RC4 cipher within the SSL setup. MS11-100/MS12-001 will provide a code fix, and we promote applying it once it becomes available.”

Microsoft recommended addressing patches MS11-087 and MS11-092 first. MS11-087 fixes a flaw within the TrueType font handling (TTF) within the Windows kernel and have been utilized in the wild to plant the Duqu Trojan and might be triggered during the opening of an Office document or with some more work by simply going to an internet page.

Kandek said: “Now that the patch is out, we will be able to expect an exploit to be coded and become available briefly time.”

Jason Miller, manager of study and development at VMware, said: “Microsoft released Security Advisory 2639658 on 3 November for this vulnerability, but this advisory was released previous to the November 2011 Patch Tuesday.

“There was speculation on the time that Microsoft would patch this vulnerability within the November 2011 Patch Tuesday release. Exploit code for this vulnerability was published and Microsoft received reports of limited attacks by contrast vulnerability, but Microsoft didn't see widespread attacks against the zero-day vulnerability and this patch didn't make it into the November release cycle.

“This allowed Microsoft to release the corresponding security bulletin during today's patch Tuesday. As with any zero-day vulnerability, it's critical to patch your systems once possible. So far the vulnerability has been exploited a limited selection of times, however the possibility of a large spread attack is often greater with zero-day vulnerabilities.”

As for patch MS11-092, Kandek said that this addresses a flaw within the Windows Media Player, which are attacked through a specially crafted DVR-MS file.

Among the ‘important' patches, Miller highlighted MS11-099 which fixes multiple vulnerabilities in Internet Explorer, although not one of the vulnerabilities are publicly known or actively being attacked.

“There is a crucial note regarding Security Bulletin MS11-088 that administrators ought to be accustomed to. This bulletin is barely available at the Microsoft Download Center. This implies administrators must manually find the affected product on their network and manually apply the patch,” he said.

“This bulletin affects IME for Chinese Office installations. The Office installation needs to be Chinese. Some other installation of Office in a language aside from Chinese isn't affected unless they've been installed with the Chinese Pinyin IME component.”

Kandek said: “MS11-089, MS11-094 and MS11-096 are all Office (Word, Powerpoint, Excel respectively) related vulnerabilities and require users to open a file to be triggered. We rate them on the same level of criticality as MS11-087 or MS11-092 - they need to be included to your fast patch cycle.”

Paul Henry, security and forensic analyst at Lumension, said: “Considering the former years of Microsoft patches, this isn't a foul technique to end the year.  Microsoft released 17 bulletins at the 2010 December Patch Tuesday. In total, 2011 saw 99 bulletins â€" down from 2010 after we saw 106.

“Clearly Microsoft has dramatically improved its software processes and that is reflected inside the continued decline of vulnerabilities considered critical within the current codebase. The numbers speak volumes at the improvements from Microsoft: in 2006, 70 per cent of security patches were critical and in 2011 critical vulnerabilities fell to only 30 per cent. In an otherwise volatile threat landscape, this can be excellent news for everybody.”