Microsoft is leaving 2011 with a bang, issuing not only 13 security bulletins in its December 2011 Patch Tuesday, but also providing the much anticipated Duqu patch.
The software giant addressed the kernel-level Windows vulnerability being exploited by the Duqu Trojan with a “critical” bulletin, MS11-087. The vulnerability is found in the Win32k TrueType font parsing engine if a user opens a specially crafted document or visits a malicious webpage that embeds the TrueType font files, Microsoft said. The flaw requires a restart and if left unpatched, could allow remote code execution.
Two other bulletins, MS11-090 and MS11-092, were rated as “critical.” The privately reported MS11-090 resolves a vulnerability in Microsoft Windows that could allow remote code execution if a user views a malicious webpage in Internet Explorer. The bulletin also includes kill bits for four third-party ActiveX controls.
“Microsoft releases this every two or three months,” said Jason Miller, manager of research and development at Palo Alto, Calif.-based virtualization vendor VMware Inc. While the number of ActiveX control flaws has been in decline, the technology, which enables third-party developers to use Internet Explorer processes like rich media in applications, has been problematic. The Data Execution Prevention feature in Internet Explorer 8 has helped reduce malicious code from executing on ActiveX errors.
MS11-092, also rated “critical,” affects Windows Media Player and Windows Media Center. According to the bulletin, the vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. However, Microsoft said an attack can only be successful if a user opens the file.
Attackers are going to definitely leverage any exploit they can find in Microsoft Office Suites to deploy targeted attacks
Don DeBolt, director of threat research, Total Defense
In a blog post, Microsoft researchers said MS11-092, as well as the Duqu patch, should first be focused on. However, Miller isn’t too worried about the Media Player bulletin. “I’m not overly concerned about it due to the file format,” explained Miller. “Word documents are typical attachments that come through your email … video isn’t.”
The remaining 10 bulletins are rated “important.” MS11-089 affects Microsoft Office and could also allow remote code execution if a user opens a specially crafted Word file. Don DeBolt, director of threat research at Islandia, NY-based security provider Total Defense, said some researchers may consider MS11-089 a critical update, because Microsoft Office is a common attack vector. “This could be considered critical because many of the targeted attacks today leverage an email with an attachment that is most likely going to get opened and will be an Office document,” he explained. “Attackers are going to definitely leverage any exploit they can find in Microsoft Office Suites to deploy targeted attacks.”
Seven of the "important" bulletins may require a restart, including MS11-089. MS11-088 affects Microsoft Office IME (Chinese); MS11-091 deals with Microsoft Publisher; MS11-093 fixes a vulnerability in an OLE object in Microsoft XP and Windows Server 2003; MS11-094 affects Microsoft PowerPoint; MS11-095 deals with Active Directory, and MS11-096 fixes a flaw in Microsoft Excel.
The remaining three "important" bulletins do require a restart: MS11-097 fixes a vulnerability in Windows Client/Server Run-time Subsystem; MS11-098 affects Windows Kernel, and MS11-099 is a security update for Internet Explorer.
“Ten of the bulletins could allow remote code execution,” said DeBolt, explaining that that’s a significant amount of that kind. The other three vulnerabilities could allow an elevation of privilege if left unpatched.
Although the advance notice that Microsoft released on Thursday said there would be 14 bulletins in the year’s last Patch Tuesday, only 13 were addressed. “There was a quality issue with one of the bulletins,” said VMware’s Miller. “This is a good thing that they didn’t issue a patch.”
According to a Microsoft blog post, researchers “discovered an apps-compatibility issue between one bulletin-candidate and a major third-party vendor.” The software giant is working with the vendor to address the issue, adding they’d “much rather withdraw a potential bulletin than ship something that might inconvenience customers.”