Microsoft released 13 bulletins on its final Patch Tuesday of 2011 with three rated as critical and 10 as ‘important'.
Despite initially stating that it would release 14 patches, Microsoft Trustworthy Computing spokesperson Angela Gunn said that after discovering an apps-compatibility issue between one bulletin candidate and a major third-party vendor, it decided to withdraw the patch.
“We're currently working with that vendor to address the issue on their platform, after which we'll issue the bulletin as appropriate. As ever, we'd much rather withdraw a potential bulletin than ship something that might inconvenience customers, however limited that inconvenience in scope,” said Gunn.
“The issue addressed in that bulletin, which we have been monitoring and against which we have seen no active attacks in the wild, was discussed in Security Advisory 2588513.”
Wolfgang Kandek, CTO at Qualys, said: “The original anticipated 14th bulletin was for the BEAST attack, but did not make it in time for the holidays due to a last minute software incompatibility uncovered during third party testing. Still, with close to 100 bulletins per year, IT administrators have had a significant amount of work to do each month.
“The planned MS11-100 (which may now be MS12-001) is a fix for the other vulnerability that has POC code in the wild. The BEAST attack was disclosed at Ekoparty 2011 in Buenos Aires and affects all web servers that support SSLv3/TLSv1 encryption. We are hopeful that you have already applied the currently recommended workaround in Microsoft's advisory KB2588513, which is to configure the web server to favor the non affected RC4 cipher in the SSL setup. MS11-100/MS12-001 will provide a code fix, and we recommend applying it as soon as it becomes available.”
Microsoft recommended addressing patches MS11-087 and MS11-092 first. MS11-087 fixes a flaw in the TrueType font handling (TTF) in the Windows kernel and had been used in the wild to plant the Duqu Trojan and can be triggered through the opening of an Office document or with some more work by simply going to a web page.
Kandek said: “Now that the patch is out, we can expect an exploit to be coded and become available in short time.”
Jason Miller, manager of research and development at VMware, said: “Microsoft released Security Advisory 2639658 on 3 November for this vulnerability, but this advisory was released just before the November 2011 Patch Tuesday.
“There was speculation at the time that Microsoft would patch this vulnerability in the November 2011 Patch Tuesday release. Exploit code for this vulnerability was published and Microsoft received reports of limited attacks against this vulnerability, but Microsoft did not see widespread attacks against the zero-day vulnerability and this patch did not make it into the November release cycle.
“This allowed Microsoft to release the corresponding security bulletin during today's patch Tuesday. As with any zero-day vulnerability, it is critical to patch your systems as soon as possible. To date the vulnerability has been exploited a limited number of times, but the possibility of a wide spread attack is always greater with zero-day vulnerabilities.”
As for patch MS11-092, Kandek said that this addresses a flaw in the Windows Media Player, which can be attacked through a specially crafted DVR-MS file.
Among the ‘important' patches, Miller highlighted MS11-099 which fixes multiple vulnerabilities in Internet Explorer, although none of the vulnerabilities are publicly known or actively being attacked.
“There is an important note regarding Security Bulletin MS11-088 that administrators should be aware of. This bulletin is only available on the Microsoft Download Center. This means administrators must manually find the affected product on their network and manually apply the patch,” he said.
“This bulletin affects IME for Chinese Office installations. The Office installation must be Chinese. Any other installation of Office in a language other than Chinese is not affected unless they have been installed with the Chinese Pinyin IME component.”
Kandek said: “MS11-089, MS11-094 and MS11-096 are all Office (Word, Powerpoint, Excel respectively) related vulnerabilities and require users to open a file to be triggered. We rate them at the same level of criticality as MS11-087 or MS11-092 - they should be included in your fast patch cycle.”
Paul Henry, security and forensic analyst at Lumension, said: “Considering the previous years of Microsoft patches, this is not a bad way to end the year. Microsoft released 17 bulletins on the 2010 December Patch Tuesday. In total, 2011 saw 99 bulletins – down from 2010 when we saw 106.
“Clearly Microsoft has dramatically improved its software processes and this is reflected in the continued decline of vulnerabilities considered critical in the current codebase. The numbers speak volumes on the improvements from Microsoft: in 2006, 70 per cent of security patches were critical and in 2011 critical vulnerabilities fell to just 30 per cent. In an otherwise volatile threat landscape, this is good news for everyone.”