Big Patch Tuesday release from Microsoft, but one fix held back

Stephen Withers
Wednesday, 14 December 2011 08:40

Business IT - Security

Microsoft's Christmas stocking of security patches isn't quite as well stuffed as we were led to expect. Nevertheless, 19 vulnerabilities have been addressed.

December's Patch Tuesday saw Microsoft release is big, but not as big as expected. The company originally advised there would be 14 bulletins covering 20 vulnerabilities, but the discovery of an application compatibility issue involving "a major third-party vendor" led to one bulletin being delayed. According to Angela Gunn, senior response communications manager, Microsoft trustworthy computing, the company has seen no active attacks against that vulnerability.

The three critical bulletins all concern Windows, and all currently supported versions are affected by at least one of the issues. The bulletins address kernel-mode driver, Windows Media Player and Windows Media Center issues that could allow remote code execution via maliciously crafted documents or web pages with embedded TrueType font files, or Microsoft Digital Video Recording files.

The other critical bulletin is a cumulative security update of ActiveX kill bits to block four third-party ActiveX controls. It also addresses an issue with "a specific binary behaviour in Internet Explorer."

Mike Reavey, senior director of the Microsoft Security Response Center, noted that 2011 has seen the smallest number of critical vulnerabilities since 2005, and the smallest percentage of critical vulnerabilities (32%) since Microsoft switched to issuing bulletins on a monthly basis in 2004.

However, the proportion of critical or important vulnerabilities has risen over that period, as shown in this graph produced by Microsoft:

CONTINUED