December 2011 Patch Tuesday Preview

Microsoft Holiday Patch Tuesday release will be substantial. We will get 14 bulletins for a total of 20 CVEs. Out of the 14, three are of the highest severity level, "critical", and affect Windows XP, Vista, and Windows 7. Only one of the critcal vulnerabiilties applies to Windows 7. On the server side, both Windows 2003 and 2008 are vulnerable, but again the newer 2008 is better than 2003, with only one vulnerability applicable.

Five of the "important" bulletins affect Office 2003, 2007 and 2010 including all office versions for Macintosh as well. One of the remaining bulletins addresses Internet Explorer 6 through 9 and the remaining bulletins apply to all versions of Windows.

In addition, users of Adobe Reader 9 can expect an update that will address the current 0-day vulnerability CVE-2011-2462 in Reader (and Acrobat itself). Since exploits for the vulnerability are already in the wild, Adobe has stated that they will deliver a high priority update out-of-band next week, so it is available earlier than their next scheduled release in January 2012. Alternatively (and better IMHO) you could update your users to Adobe Reader X, which while it contains the vulnerability, cannot be successfully exploited due to its sandboxing features.

BTW, an excellent technical analysis of the Reader flaw can be found here at the B9Plus blog by Brandon Dixon.