Patch Tuesday analysis for December 2011


December Patch TuesdayAs always on the second Tuesday of the month Microsoft and Adobe release their monthly security bulletins.

This month Microsoft has released 13 bulletins, although they had originally announced there would be 14 this month. In the final stages of QA, Microsoft discovered a application incompatibility with a major software vendor.

This is another reason I would love to declare the concept of change control a dead concept when it comes to Microsoft/Adobe/Java patches.

The vendors do an excellent job of assuring compatibility and the time you are waiting and testing patches is being put to much better use by your adversaries.

Three of this months Microsoft bulletins are rated critical. Two of these, MS11-087 and MS11-092 deserve the most attention.

MS11-087 is known as the Duqu zero-day remote code execution flaw. This vulnerability in the Windows kernel can be exploited by attackers embedding specially crafted TrueType fonts in documents.

Considering that there are attackers out there actively exploiting this flaw it is certainly an important one, although at this time it appears that only the people behind Duqu know how to use it successfully.

MS11-092 affects Windows Media Player and also allows an attacker remote code execution. Microsoft considers this critical, although to be exploited the user must be tricked into downloading and opening a malicious .dvr-ms file.

Other Microsoft product fixes include Internet Explorer, MS Office, MS Publisher, Active Directory, OLE and the Windows kernel.

Considering MS11-087 requires a restart to patch the kernel, I recommend installing all of these fixes at once to save on restarts.

SophosLabs rates all of these vulnerabilities as Medium except for the MS11-087 Duqu vulnerability.

Adobe logoIt is a pretty quiet month for Adobe with just two bulletins covering Adobe Flex SDK and Adobe Cold Fusion.

The Flex bug is related to a cross-site scripting (CSS) vulnerability. The Cold Fusion bug appears to be the same and is also called out as a CSS bug. Both patches are rated important.

It’s a bad time of year to get into patching production systems, but if you can get these done before the holiday break things might go more smoothly when you return in January.

Happy holidays, and good luck with your patching!