Patch Tuesday: December 2011 (Fix for DUQU exploit)

[bogdan]

In December Microsoft released 13 security bulletins, (three of which are rated Critical in severity, and 10 Important) fixing 19 unique vulnerabilities in Microsoft products. As usual, Windows users are advised to apply the updates as soon as possible.

[attachment=968]

MS11-087 - Critical: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417): This finally fixes the Vulnerability in TrueType Font Parsing used by the DUQU worm.

MS11-092 - Critical: Vulnerability in Windows Media Could Allow Remote Code Execution (2648048). This security update resolves a privately reported vulnerability in Windows Media Player and Windows Media Center. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.

Another notable fixed vulnerability is addressed in Microsoft Security Bulletin MS11-099 - Important: Cumulative Security Update for Internet Explorer (2618444). This security update resolves three privately reported vulnerabilities in Internet Explorer. The most severe vulnerability could allow remote code execution if a user opens a legitimate HyperText Markup Language (HTML) file that is located in the same directory as a specially crafted dynamic link library (DLL) file. It affects all versions of Internet Explorer (6,7,8,9) and has an exploit-ability index of 3.

Source: The December bulletins are released [blogs.technet.com]

 

[iPanik]

It's a big one this time. I got 16 updates, taking up a massive 170 megs download.

 

[WinAndLinuxTutorials]

Nice to hear that. Bye DUQU, I will play Sudoku.

 

[samit]

It's a big one this time. I got 16 updates, taking up a massive 170 megs download.

i also got 16 updates today morning......but it was just 90 mb

 

[win7holic]

I also get update with MS.Office also + security for windows 7 (14 Updates). total is 113.2MB

 

[bogdan]

Missing from these patches is the BEAST (Browser Exploit Against SSL/TLS) patch. This is a Vulnerability in SSL/TLS that Could Allow Information Disclosure. The vulnerability was discovered in September 2011 and although Microsoft announced that it will get fixed this month, it was probably postponed because it was causing problems with some 3rd party software. Since it doesn't affect TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode, the proposed workaround is to enable TLS 1.1 and/or 1.2 in Internet Explorer. (See Microsoft Fix-it solution from September 2011)

 

[McLovin]

Well going to be doing my updates in the next couple of days.

 

[win7holic]

Missing from these patches is the BEAST (Browser Exploit Against SSL/TLS) patch. This is a Vulnerability in SSL/TLS that Could Allow Information Disclosure. The vulnerability was discovered in September 2011 and although Microsoft announced that it will get fixed this month, it was probably postponed because it was causing problems with some 3rd party software. Since it doesn't affect TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode, the proposed workaround is to enable TLS 1.1 and/or 1.2 in Internet Explorer. (See Microsoft Fix-it solution from September 2011)

I'm missing that, bogdan?
I just 14 with MS.Office also. NOT just security Updates for windows 7.

 

[Jack]

I've got just 8 Updates for my desktop ....

But I've got 16 Updates for my laptop (with MS Office Installed)