Patch Tuesday Analysis for December 2011

Thirteen Security Bulletins were released today, one less than expected. The missing one is related to security advisory 2588513.  Microsoft offers some advice on how to deal with that while waiting. Here’s some highlights of today’s releases:

MS11-087 is rated critical for all supported versions on Windows. Since the exploit related to this is both public and presently being used we recommend accelerated testing and deployment of the patch.  

MS11-092 patches a vulnerability in Media Player where the attacker convinces a user to open a specially crafted dvr-ms file. The habits of users would impact how quickly this patch should be deployed. The increase of video viewing will no doubt continue.  

MS11-090 is a cumulative update for ActiveX.  The kill bits prevent the ActiveX controls from running.. All but one of these are for third-party software.  

MS11-095 will only offer the patch for systems with Active Directory Services installed. Domain Controllers for example use this technology.  

MS11-088 is a vulnerability in Office 2010 IME (Chinese). IME or Input Method Editor allows characters to be built from the keyboard. Some languages like Chinese contain  so many characters it is not practical to have a key for each one.  Only systems where an affected version of the Microsoft Pinyin (MSPY) Input Method Editor (IME) for Simplified Chinese has been installed are vulnerable.  

MS11-091 addresses multiple vulnerabilities in Office Publisher, one of which is publicly disclosed.  

With MS11-093 the vulnerability is in OLE (Object Linking and Embedding) Office products for example use this technology. Servers are less vulnerable if best practice is followed. Third party software may also use OLE.  

Two vulnerabilities in PowerPoint are addressed in MS11-094. Not all Service Packs and Versions are affected.

A record memory corruption vulnerability is corrected with MS11-096  

The CSRSS is a component in all supported Windows systems and will require a restart when patching (MS11-097)  

MS11-098 affects only 32-bit systems  

MS11-099 is a cumulative update for Internet Explorer

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS11-089

2590602
Arbitrary code

/ Office Word
Workstations
Terminal Servers
No/NoNoImportant Office 2010
Office 2011 for MAC
 Patch after testing
MS11-091

2607702
Arbitrary code

/ Publisher
Workstations
Yes/NoNoImportant Office 2003
Office 2007
Multiple vulnerabilitiesPatch after testing
MS11-099

2618444
Arbitrary code

/ Internet Explorer
Workstations
Terminal Servers
No/NoNoImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Cumulative Update; Restart Req'dPatch after testing
MS11-090

2618451
Arbitrary code

/ ActiveX
Workstations
Terminal Servers
No/NoNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Cumulative UpdatePatch after testing
MS11-097

2620712
Privilege elevation

/ Windows
Workstations
Servers
No/NoNoImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS11-093

2624667
Arbitrary code

/ OLE
Workstations
Terminal Servers
No/NoNoImportant XP
Server 2003
 Patch after testing
MS11-098

2633171
Privilege elevation

/ Windows kernel mode drivers
Workstations
Terminal Servers
No/NoNoImportant XP
Vista
Server 2003
Server 2008
Windows 7
Restart Req'd; 32-bit systemsPatch after testing
MS11-094

2639142
Arbitrary code

/ Powerpoint
Workstations
Terminal Servers
No/NoNoImportant Office 2007
Office 2008 for Mac
Office Converter Pack
PowerPoint Viewer 2007
Office 2010
Multiple vulnerabilitiesPatch after testing
MS11-087

2639417
Arbitrary code

/ Windows kernel mode drivers
Workstations
Servers
Yes/YesNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after minimal testing
MS11-095

2640045
Arbitrary code

/ Active Directory
Workstations
Servers
Domain Controllers
No/NoNoImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Only systems with AD servicesPatch after testing
MS11-096

2640241
Arbitrary code

/ Excel
Workstations
Terminal Servers
No/NoNoImportant Office 2003
Office 2004 for Mac
 Patch after testing
MS11-092

2648048
Arbitrary code

/ Media player
Workstations
No/NoNoCritical XP
Vista
Windows 7
 Patch after testing
MS11-088

2652016
Privilege elevation

/ Office
Workstations
No/NoNoImportant Office 2010
IME (Chinese)Patch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.