Security Market Segment LS
Wednesday, 14 December 2011 09:40

Big Patch Tuesday release from Microsoft, but one fix held back

By

Microsoft's Christmas stocking of security patches isn't quite as well stuffed as we were led to expect. Nevertheless, 19 vulnerabilities have been addressed.

December's Patch Tuesday saw Microsoft release is big, but not as big as expected. The company originally advised there would be 14 bulletins covering 20 vulnerabilities, but the discovery of an application compatibility issue involving "a major third-party vendor" led to one bulletin being delayed. According to Angela Gunn, senior response communications manager, Microsoft trustworthy computing, the company has seen no active attacks against that vulnerability.

The three critical bulletins all concern Windows, and all currently supported versions are affected by at least one of the issues. The bulletins address kernel-mode driver, Windows Media Player and Windows Media Center issues that could allow remote code execution via maliciously crafted documents or web pages with embedded TrueType font files, or Microsoft Digital Video Recording files.

The other critical bulletin is a cumulative security update of ActiveX kill bits to block four third-party ActiveX controls. It also addresses an issue with "a specific binary behaviour in Internet Explorer."

Mike Reavey, senior director of the Microsoft Security Response Center, noted that 2011 has seen the smallest number of critical vulnerabilities since 2005, and the smallest percentage of critical vulnerabilities (32%) since Microsoft switched to issuing bulletins on a monthly basis in 2004.

However, the proportion of critical or important vulnerabilities has risen over that period, as shown in this graph produced by Microsoft:

MS Bulletin_Ratings

CONTINUED

 


Microsoft uses the term 'critical' to describe "A vulnerability whose exploitation could allow the propagation of an Internet worm without user action" and 'important' for "A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources."

But some critical vulnerability descriptions provide scenarios in which users open files. In such cases, the difference between the two classifications appears to be whether the issue equally affects users with or without administrative rights.

While Microsoft deserves recognition for reducing the number and proportion of critical vulnerabilities, we might feel more secure if the figures for important vulnerabilities had fallen similarly.

The remaining Windows issues for December are rated important. They involve vulnerabilities in OLE (XP and Server 2003 only), Active Directory (all versions except Server 2008), the Client/Server Runtime System (all versions), Windows Kernel (32-bit versions of XP SP3, Vista SP2, Windows 7 including SP1, and Server 2003 SP2), and Internet Explorer (versions 6, 7, 8 and 9).

The remaining bulletins address issues found in Microsoft Office. All are rated important.

The first is specific to the Microsoft Pinyin Input Method Editor 2010 and allows privilege escalation. The others can be exploited via maliciously crafted Word, Publisher, PowerPoint or Excel documents.

CONTINUED

 


In various combinations, these issues affect all currently suppotyed versions of Office (ie 2003, 2004, 2007, 2008, 2010 and 2011), as well as PowerPoint Viewer 2007 SP2; Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2; and Microsoft Office Pinyin SimpleFast Style 2010 and Microsoft Office Pinyin New Experience Style 2010.

As usual, Microsoft also released an updated version of the Malicious Software Removal Tool, non-security updates affecting all currently supported versions of Windows, and an update for the Windows Mail Junk E-Mail Filter.


Subscribe to Newsletter here

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

These days our customers Advertising & Marketing campaigns are mainly focussed on Webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://www.itwire.com/itwire-update.html and Promotional News & Editorial.

For covid-19 assistance we have extended terms, a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

BACK TO HOME PAGE

ZOOM WEBINARS & ONLINE EVENTS

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Research & Case Studies

Channel News

Comments