Hello all,


Happy holidays, and welcome to the last (knock on wood…) Microsoft security briefing of 2011.  This week MS released 13 patches, addressing 19 distinct vulnerabilities.  The vulns are pretty heavily weighted toward applications, with only 5 OS vulnerabilities being addressed.  One of the patches (MS11-087) fills in a hole that we discussed last month, which has been actively exploited by the much-discussed Duqu malware.  This one clearly will be a high priority for deployment for many organizations.  One other (MS11-091) fixes a vuln that had been previously disclosed in a public forum, but has not been exploited in the wild to date.


Since this is the last (scheduled) patch release of the year, it’s interesting to take a step back and apply a little perspective.  Overall, this was a very good year for Microsoft, from a security perspective. 


2011 marked the first year that Microsoft released ZERO out-of-cycle patches.  This year Microsoft kept to its published monthly patch release schedule like clockwork.  When surprises reared their heads (such as last month’s Duqu) Microsoft has done a good job of documenting mitigations that are available from MS, as well as protections from their security partners such as McAfee, and then working the ultimate patch into an upcoming scheduled release.  This is a refreshing change, and a significant contrast to last year, where MS released a record 4 out-of-cycle patches.  Out-of-cycle patches cause great disruption to normal IT operations, and eliminating them goes a long way toward helping organizations create repeatable, predictable IT processes.


On top of this, the overall volume and severity of security patches is also down in 2011.  This will be the first year that MS patched fewer vulnerabilities than the year before.  If you focus solely on critical vulnerabilities (those most likely to result in an exploit) they patched fewer critical vulnerabilities this year than any year since 2005.  These are very promising indicators, and show that MS has come a long way toward improving security in their platforms.


Of course, we are security professionals, and none of us is happy to dwell on the silver lining for long when there are storm clouds on the horizon.  Adobe came on strong in 2010 as a source of risk, and actually managed to pass Microsoft in issuing critical patches in 2011.  Apple has continues to make a strong showing, as has Oracle (mostly related to Java, which they picked up as part of their acquisition of Sun early this year…welcome to the party, Oracle!).  While Microsoft is finally beginning to reap the rewards of their focus on security that began years ago, it’s safe to say that our jobs are secure for the foreseeable future.




Fig 1: Critical patches by year: Microsoft vs. Adobe


On to this month.  December’s patches include the following:


  • (MS11-087) Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
  • (MS11-088) Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)
  • (MS11-089) Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)
  • (MS11-090) Cumulative Security Update of ActiveX Kill Bits (2618451)
  • (MS11-091) Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)
  • (MS11-092) Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)
  • (MS11-093) Vulnerability in OLE Could Allow Remote Code Execution (2624667)
  • (MS11-094) Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)
  • (MS11-095) Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)
  • (MS11-096) Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)
  • (MS11-097) Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)
  • (MS11-098) Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)
  • (MS11-099) Cumulative Security Update for Internet Explorer (2618444)


At the top of the to-do list this month is MS11-087, which addresses an issue  in the Windows TrueType Font Parsing Engine (Why, or why, is there a font parsing engine in the Windows kernel?  These are the things that keep me up at night).  This vuln has been exploited via malicious MS Word documents, delivered to users as part of the Duqu attacks that were publicized in November.  While mitigations for Duqu have been in place for some time now, it’s good to see this vuln addressed, as it should reduce the impact of any follow-on copycat attacks. 


Before we leave the subject of Duqu and its associated (previously unpatched) vulnerability, it’s worth pointing out another Microsoft initiative: the Microsoft Active Protections Program (MAPP).  MAPP is a program through which Microsoft shares information with partners like McAfee on emerging security issues, and collects information about protections (e.g. IPS signatures and the like) released by MAPP partners.  With Duqu, they began to publish some of this information about protections available from their partners, via the URL below.  If your favorite vendor isn’t showing up on the MAPP Partners with Updated Protections site, you might ask them why not:


Beyond this one, the remaining 12 patches are mostly unremarkable, with a healthy dose of client-side vulnerabilities that allow an attacker to exploit a user’s system if they can convince the user to open a malicious document or visit a malicious web site.  McAfee’s coverage for this month’s MS vulns is good:


  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 9 out of 19 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 11 out of 19 vulnerabilities this month.
  • McAfee Application Control is expected to provide protection against exploits of 12 out of 19 vulnerabilities this month.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 14 out of 19 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.


As more details become available, you’ll find them on the McAfee Threat Center.


You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.


That wraps up 2011.  May 2012 bring you health, happiness, and few unwelcome surprises.