Microsoft Patch Tuesday – December 2011

Hello, welcome to this month’s blog on the Microsoft patch release. This is an average month—the vendor is releasing 13 bulletins covering a total of 19 vulnerabilities.

Three of this month's issues are rated ‘Critical’ and they affect Media Player, Microsoft Time ActiveX control, and the public issue regarding TrueType fonts (currently being exploited by Duqu malware). The remaining issues affect Windows, the kernel, Internet Explorer, Active Directory, Word, Excel, PowerPoint, Active Directory, Publisher, and Office.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the December releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms11-dec

The following is a breakdown of the issues being addressed this month:

  1. MS11-087 Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)

    CVE-2011-3402 (BID 50462) Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability (MS Rating: Critical; Symantec Urgency Rating 9.2/10)

    A previously public (Nov 1, 2011) remote code-execution vulnerability affects Windows kernel-mode drivers when handling specially crafted TrueType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file or viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the kernel. This may facilitate a complete system compromise.

  2. MS11-090 Cumulative Security Update of ActiveX Kill Bits (2618451)

    CVE-2011-3397 (BID 50970) Microsoft Windows Time Component Remote Code Execution Vulnerability (MS Rating: Critical; Symantec Urgency Rating 7.1/10)

    A remote code-execution vulnerability affects the Microsoft Time ActiveX control. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

  3. MS11-092 Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)

    CVE-2011-3401 (BID 50957) Microsoft Windows Media Player And Media Center '.dvr-ms' Files Remote Code Execution Vulnerability (MS Rating: Critical; Symantec Urgency Rating 7.1/10)

    A remote code-execution vulnerability affects Media Player and Media Center due to how they handle ‘.dvr-ms’ files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malformed file. A successful exploit will result in the execution of arbitrary attacker-supplied code with system-level privileges. This may facilitate a complete system compromise.

  4. MS11-099 Cumulative Security Update for Internet Explorer (2618444)

    CVE-2011-1992 (BID 50974) Microsoft Internet Explorer XSS Filter Cross Domain Information Disclosure Vulnerability (MS Rating: Important; Symantec Urgency Rating 6.7/10)

    A cross-domain information-disclosure vulnerability affects Internet Explorer. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a specially crafted web page. A successful exploit will allow an attacker to gain access to potentially sensitive information across domains.

    CVE-2011-2019 (BID 50975) Microsoft Internet Explorer CVE-2011-2019 DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important; Symantec Urgency Rating 8.5/10)

    A remote code-execution vulnerability affects Internet Explorer because of how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a file associated with the application from a remote WebDAV or SMB share, or from the local desktop. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

    CVE-2011-3404 (BID 50976) Microsoft Internet Explorer CVE-2011-3404 Cross Domain Information Disclosure Vulnerability (MS Rating: Moderate; Symantec Urgency Rating 6.7/10)

    An information-disclosure vulnerability affects Internet Explorer due to how it renders certain web pages. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a specially malformed web page. A successful exploit may result in the disclosure of potentially sensitive information across domains.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal, and to our customers through the DeepSight Threat Management System.