Patch Tuesday analysis for December 2011

Filed Under: Adobe, Featured, Malware, Microsoft, Vulnerability

December Patch TuesdayAs always on the second Tuesday of the month Microsoft and Adobe release their monthly security bulletins.

This month Microsoft has released 13 bulletins, although they had originally announced there would be 14 this month. In the final stages of QA, Microsoft discovered a application incompatibility with a major software vendor.

This is another reason I would love to declare the concept of change control a dead concept when it comes to Microsoft/Adobe/Java patches.

The vendors do an excellent job of assuring compatibility and the time you are waiting and testing patches is being put to much better use by your adversaries.

Three of this months Microsoft bulletins are rated critical. Two of these, MS11-087 and MS11-092 deserve the most attention.

MS11-087 is known as the Duqu zero-day remote code execution flaw. This vulnerability in the Windows kernel can be exploited by attackers embedding specially crafted TrueType fonts in documents.

Considering that there are attackers out there actively exploiting this flaw it is certainly an important one, although at this time it appears that only the people behind Duqu know how to use it successfully.

MS11-092 affects Windows Media Player and also allows an attacker remote code execution. Microsoft considers this critical, although to be exploited the user must be tricked into downloading and opening a malicious .dvr-ms file.

Other Microsoft product fixes include Internet Explorer, MS Office, MS Publisher, Active Directory, OLE and the Windows kernel.

Considering MS11-087 requires a restart to patch the kernel, I recommend installing all of these fixes at once to save on restarts.

SophosLabs rates all of these vulnerabilities as Medium except for the MS11-087 Duqu vulnerability.

Adobe logoIt is a pretty quiet month for Adobe with just two bulletins covering Adobe Flex SDK and Adobe Cold Fusion.

The Flex bug is related to a cross-site scripting (CSS) vulnerability. The Cold Fusion bug appears to be the same and is also called out as a CSS bug. Both patches are rated important.

It's a bad time of year to get into patching production systems, but if you can get these done before the holiday break things might go more smoothly when you return in January.

Happy holidays, and good luck with your patching!

, , , , , , ,

You might like

8 Responses to Patch Tuesday analysis for December 2011

  1. Pete Miles · 993 days ago

    Many forums/boards/experts quote MS-whatever, but windows update quotes KB....... How do we know what to include or exclude as many experts say 'hold', wait and so on.

    Pete

  2. Mike Perry · 992 days ago

    Why does M$ not realise that AV updates, specifically for MSE, are actually *required* updates and should not be optional. Whenever they reach Patch Tuesday, any updates for MSE are always available only as optional, which means that people who have set theur update preferences to automatic may well not get them! Dangerous or what? Makes more sense to set them as *required* for the sake of safety and security.
    Plus, why do they insist that a change to the Bing search toolbar (that no one I know uses) is *required* when it is logically an option?

    • MSE updates itself apart from Windows Update and much more frequently, so it shouldn't matter if WAU calls the definitions optional.
      On another note, it is disappointing that one patch was not released. Do we know what it covered?

  3. Fubar · 992 days ago

    re: AV should update daily - not autoupdate via a monthly WU patch check!?

    Unless there is a specific reason to not do so: MSE should be set internally to autoupdate and scan daily, or more frequently if possible. On standard Dell business machines (Optiplex/Latitude) purchased in the last several years, this presents no inconvenience or performance issues.

  4. Fubar · 992 days ago

    re: How do we know what to include or exclude

    Consider the analysis provided in this article. It identifies exactly one major/dangerous MICROSOFT WINDOWS network worm (Confiker) that most likely impacted "static state" medical equipment in a critical operations setting (not a standard "non critical" business setting).

    If the hospital had followed ALL industry advice, and installed ONE patch (for confiker), they would presumably not have had the problem.

    Please note that confiker *is* checked for by the "malicious software" scan that is updated montly by Microsoft! (via WU - Windows Update)

  5. Fubar · 992 days ago

    (cont.) In settings where there are no custom applications, it is most likely that installing ALL MS patches ALWAYS (when they are released) will not cause any *significant* problems on otherwise healthy, standard business PCs used by responsible people.

    In settings with custom applications that might be affected negatively by a patch, the organization must have IT resources to patch test their custom applications.

    It is utterly appalling that medical device/software manufacturers to not issue effective patch advisements to their customers with potential issues on "network facing" equipment.

    However, if you look at it from the manufacturer's viewpoint, the Windows architecture is deeply flawed (which is why so many "security" patches are needed in the first place). However, the manufacturer did make a choice to provide products on Microsoft platforms, so they should have known what they were getting into. Similarly, the manufacturer has to deal with irresponsible customers that abuse the equipment by using it in the same way they do their personal/retail PC. These problems are compounded if more than one custom device/app is running on a Windows PC.

  6. Fubar · 992 days ago

    (cont.) So, the problem is that the windows ecosystem is dysfunctional, but manufacturers are compelled for survival reasons in the current market to support it because it is a "general purpose", cheap platform (mediocre quality).

    Keep in mind that Microsoft became wildly successful 25+ years ago because high quality, *specialized* IT solutions in the previous generation of products were incredibly expensive, as in $20,000 for a word processor (e.g., Wang). 25 years ago $20,000 then was worth a lot more than it is now.

    Microsoft platforms have NEVER been known for super high quality, they were designed to be cheap, mass market, stuff that worked "ok" most of the time -- not specialized, high availability.

  7. Fubar · 992 days ago

    (cont./last) Sociologically, old school IT organizational cultures tended to be high cost and/or elitist, due to stringent requirements of mainframe/minicomputer support. (consider the proposal for the "Network PC" by Oracle 20 years ago as an example of misalignment with mass market expectations.)

    Microsoft and other PC companies "revolutionized" the computer /software market by causing a pardigm shift, but one of the consequences is that there is confusion about the capabilities of microsoft platforms and the related support ecosystem. To be frank, IT support has become "dumbed down" by the mass market success of MS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.