Qualys Blog

www.qualys.com
wkandek

December 2011 Patch Tuesday

This month, we have 13 Security Bulletins instead of the expected 14, bringing us up to 99 bulletins this year. The original anticipated 14th bulletin was for the BEAST attack, but did not make it in time for the holidays due to a last minute software incompatibility uncovered during third party testing. Still, with close to 100 bulletins per year, IT administrators have had a significant amount of work to do each month.

To be fair, not all of the bulletins apply to everybody or even have the same urgency to install, however there are always a number of updates each month that are, in our view, higher priority. In December we have a few clear candidates that you should install as quickly as possible:

  1. MS11-087 is a critical fix for a flaw in the TrueType font handling (TTF) in the Windows kernel. It can be triggered through the opening of an Office document or with some more work by simply going to a web page. The flaw has seen use in the wild to plant the DUQU malware, and Microsoft had previously published an advisory for it – KB2639658. Now that the patch is out, we can expect an exploit to be coded and become available in short time.
  2. MS11-092 addresses a flaw in Windows Media Player, which can be attacked through a specially crafted DVR-MS file. It is critical and can be triggered through simple web browsing, so you should fix it as quickly as possible.
  3. MS11-089, MS11-094, MS11-096 are all Office (Word, Powerpoint, Excel respectively) related vulnerabilities and require users to open a file to be triggered. We rate them at the same level of criticality as MS11-087 or MS11-092 – they should be included in your fast patch cycle.

The planned MS11-100 (which may now be MS12-001) is a fix for the other vulnerability that has POC code in the wild. The BEAST attack was disclosed at Ekoparty 2011 in Buenos Aires and affects all web servers that support SSLv3/TLSv1 encryption. We are hopeful that you have already applied the currently recommended workaround in Microsoft’s advisory KB2588513, which is to configure the web server to favor the non affected RC4 cipher in the SSL setup. MS11-100/MS12-001 will provide a code fix, and we recommend applying it as soon as it becomes available.

There is one more bulletin expected this week – not from Microsoft but from Adobe for Adobe Reader. It is critical and in use in the wild, apparently prevalent enough to have Adobe break its normal cycle and release a patch out-of-band. Apply it as soon as it comes out, or even better, upgrade to Adobe Reader X, which cannot be exploited by the vulnerability, due to its sandboxing. Adobe Reader X being immune has happened now three times in 2011, a clear demonstration of the power of the sandboxing technology that is being used in most modern browsers as well.

Leave a Reply