Microsoft’s December Update comes with 13 Security Patches
Microsoft has released its December cycle of security update containing 13 patches to address 3 critical vulnerabilities, with one which the currently notorious Duqu worm exploits, published softpedia on December 14, 2011.
Security Intelligence Manager, Joshua Talbot from Symantec has said that the December security bulletin's most vital fix is the one which addresses the TrueType Font Parsing flaw a zero-day vulnerability, which the Duqu uses for its targeted assaults. CSO reported this on December 13, 2011.
Talbot further says that Duqu as such doesn't mean to exploit the said flaw, but when malevolent e-mail attachments attempt at planting the malware onto target computers, they utilize the flaw.
One more crucial bug, which may let arbitrary code execution, associates with an ActiveX problem. Kill bits of an ActiveX component are incorporated within software so that malicious websites as also certain binary actions inside Microsoft's Internet Explorer wouldn't disturb Web-surfers.
Moreover, the third fix addresses one privately reported security flaw within Windows Media Center and Windows Media Player. This flaw can let execution of remote code provided an end-user views a maliciously designed Microsoft Digital Video Recording or .dvr-ms file. The file cannot be forceful rather it should be convincing so the user would open it to make the attack a success.
The rest of the ten flaws, assigned the "important" rating became evident within Microsoft Office, Active Directory, Windows Kernel, OLE, and Windows server/client subsystem.
Microsoft, initially, announced on December 8, 2011 that it would issue fourteen security patches. Of these, the 14th one was intended for plugging the SSL (Secure Sockets Layer) hole within Apache Web-servers, which the BEAST program has been exploiting. But Microsoft withdrew this bulletin because of an adverse exchange with a reputed provider, which also suggests the extensive trials it puts its patches to.
Meanwhile, according to security researchers, one other security update is expected during the 3rd-week of December 2011 from another software company i.e. Adobe to fix its Reader flaw. This flaw is critical as well as being actively used, seemingly widely prevalent so much so that Adobe will release the patch out of the usual cycle it maintains.
Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails
» SPAMfighter News - 23-12-2011