This month, there are seven bulletins, of which five are critical and two are important. Fortunately, none are currently under active attack, so that should set IT’s mind at ease as they begin to apply this set of patches.
Since 2012 is coming to an end, Paul Henry, security and forensic analyst, Lumension pulled together a quick look at the numbers year-over-year. In 2011, Microsoft had 100 bulletins for the calendar year, of which 34 were critical, 63 important and three moderate. In 2012, they reduced the number of bulletins by close to 20 percent, coming in at 83 bulletins for the year, of which 35 were critical, 46 important and two moderate. According to Henry, it’s great to see that Microsoft’s Secure Coding Initiative is paying off, reducing the number of vulnerabilities in their software, resulting in an easier time for IT at Patch Tuesday time.
Another trend that’s interesting to note is Microsoft’s consistency. When you look at the numbers in-depth, you can see that in 2011, there was a bit of yo-yo’ing going on with Patch Tuesday. For example, in January, there were two bulletins, while February had 12. March then went back down to three, but April went up to 17, while May went down to two and June back up to 16. IT might have felt like they had whiplash by the end of the year! In contrast, January of this year had seven, slight increase to nine in February, then six in both March and April, and seven in both May and June. In fact, only one month – September, at three – was lower than six or higher than nine. The degree of consistency makes it easier for IT to plan out the time and effort they’ll need to spend on Patch Tuesday each month.
Click through for a summary of what to expect in December’s Patch Tuesday, as identified by Paul Henry, security and forensic analyst at Lumension.
Now, onto this month’s bulletins! The most important bulletin is Bulletin 1, affecting IE 9 and IE 10. It’s a critical severity rating. These are use-after-free issues. They affect only components that were introduced in IE9, which is interesting, because it means that it affects IE 9 and IE 10 and the downlevel platforms don’t really have the components. Microsoft has done some defense in depth hardening for those platforms to address these issues. However, because those platforms don’t have the affected components, they were not given a severity ranking.
The next priority is Bulletin 3, which is a Microsoft Word remote code execution vulnerability. While typical Word vulnerabilities are ranked important, this is ranked critical. Similar to a bulletin issued a few months ago, there’s an issue with RTF formatted data that can be parsed in the Outlook Preview Pane, executing the vulnerability. Because of that parsing, this will be very important to apply quickly.
Next, Bulletin 2 is a kernel mode drivers issue, ranked critical. Similar to a bulletin last month, this affects True Type and Open Type parsing. However, because executing on this vulnerability would be time consuming and difficult, this is less important than the Word and IE issues.
Bulletin 4 is an Exchange vulnerability involving a remote code execution. A few months ago, Microsoft addressed Oracle Outside In vulnerabilities for the first time. This is a similar update addressing the recent Oracle update to Outside In. There’s never been an active attack on this, but it’s an important component, so it’s good to see Microsoft performing their due diligence here.
Then we have Bulletin 5, a remote code execution issue in the Windows file handling component, affecting Windows XP through Windows 7. Fortunately, Windows 8 is not affected here. Essentially, when Windows Explorer parses a filename, it hits this vulnerability.
Bulletin 6 affects a vulnerability in Direct Play, affecting all versions of Windows from XP through Windows 8. As Henry pointed out last month, Windows 8 is unfortunately not perfect, security-wise, and we can expect updates for that operating system to become more common in 2013. If you use Direct Play to parse content in Office documents or things embedded in Office documents, this vulnerability will come into play. The Office documents will act as a vector, but it is a Windows-level vulnerability.
Finally, Bulletin 7 is a vulnerability in IP HTTPS, which is a component in Direct Access. Direct Access is a common VPN authentication solution that checks corporate credentials when you log in to ensure they have not been revoked or expired. Essentially, this is a bug that doesn’t honor the revocation of time stamp, as you might see for corporate credentials after an employee leaves a company. This vulnerability would allow someone with a revoked certificate to log in and access corporate assets. This is ranked important if you use Direct Access.
There is also a Flash update, which is pretty common these days, and a rerelease for some code signing issues updating the code signing certificates.
It’s nice that this month, Adobe has matched their updates to Patch Tuesday, which should make patching a little easier on IT admins this month, as this will help consolidate reboots and other issues.
Oracle was already feeling the heat with a new cross-vendor zero-day vulnerability reported in Java and is now facing additional pressure with multiple vulnerabilities reported in their widely used MySQL product. Several vulnerabilities were reported in early December by researcher “Kingcope” on the Exploit Database. The new MySQL exploits include a denial-of-service attack, a Windows remote root attack, two buffer overrun attacks on Linux, and one privilege escalation attack, also on Linux.
The widely used DNS software Bind 9.9.2 now has patches available to handle 26 different bugs and security issues. Additional information updates can be found here.
The SANS ISC has reported that exploit code has been made public for implementations of SSH from Tectia SSH and freeSSH/freeFTP. There are no available CVEs for tracking and there have not been any public announcements from either software vendor.