Microsoft’s 13 December security bulletins

Microsoft released 13 security bulletins (three Critical, 10 Important) as part of its regular monthly patch cycle a few minutes ago. Here’s what two experts are saying about it:

Joshua Talbot, security intelligence manager, Symantec Security Response:

The most important patch this month is the TrueType Font Parsing issue, which is the zero-day vulnerability exploited as part of the Duqu targeted attacks. The Duqu malware didn’t actually incorporate an exploit for this issue in its code, but the vulnerability was used by malicious email attachments to load Duqu onto targeted systems.

We typically put Internet Explorer cumulative updates pretty high on our priority list. But this month none of the IE vulnerabilities are particularly high impact issues. They’re still important, but we suggest prioritizing quite a few of the other bulletins ahead of them. For example, the Windows Media Player DVR-MS memory corruption issue. This one looks pretty simple to exploit and can result in a complete system takeover. To make matters worse, DEP and ASLR only offer limited protection here.

Wolfgang Kandek, CTO of Qualys:

This month, we have 13 Security Bulletins instead of the expected 14, bringing us up to 99 bulletins this year. The original anticipated 14th bulletin was for the BEAST attack, but did not make it in time for the holidays due to a last minute software incompatibility uncovered during third party testing. Still, with close to 100 bulletins per year, IT administrators have had a significant amount of work to do each month.

To be fair, not all of the bulletins apply to everybody or even have the same urgency to install, however there are always a number of updates each month that are, in our view, higher priority. In December we have a few clear candidates that you should install as quickly as possible:

1. MS11-087 is a critical fix for a flaw in the TrueType font handling (TTF) in the Windows kernel. It can be triggered through the opening of an Office document or with some more work by simply going to a web page. The flaw has seen use in the wild to plant the DUQU malware, and Microsoft had previously published an advisory for it – KB2639658. Now that the patch is out, we can expect an exploit to be coded and become available in short time.

2. MS11-092 addresses a flaw in Windows Media Player, which can be attacked through a specially crafted DVR-MS file. It is critical and can be triggered through simple web browsing, so you should fix it as quickly as possible.

3. MS11-089, MS11-094, MS11-096 are all Office (Word, Powerpoint, Excel respectively) related vulnerabilities and require users to open a file to be triggered. We rate them at the same level of criticality as MS11-087 or MS11-092 – they should be included in your fast patch cycle.

The planned MS11-100 (which may now be MS12-001) is a fix for the other vulnerability that has POC code in the wild. The BEAST attack was disclosed at Ekoparty 2011 in Buenos Aires and affects all web servers that support SSLv3/TLSv1 encryption. We are hopeful that you have already applied the currently recommended workaround in Microsoft’s advisory KB2588513, which is to configure the web server to favor the non affected RC4 cipher in the SSL setup. MS11-100/MS12-001 will provide a code fix, and we recommend applying it as soon as it becomes available.

There is one more bulletin expected this week – not from Microsoft but from Adobe for Adobe Reader. It is critical and in use in the wild, apparently prevalent enough to have Adobe break its normal cycle and release a patch out-of-band. Apply it as soon as it comes out, or even better, upgrade to Adobe Reader X, which cannot be exploited by the vulnerability, due to its sandboxing. Adobe Reader X being immune has happened now three times in 2011, a clear demonstration of the power of the sandboxing technology that is being used in most modern browsers as well.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a