Three of the bulletins are rated critical and patch remote code execution flaws; 11 are rated as important. A total of 20 vulnerabilities will be patched in Microsoft Windows, Office, Internet Explorer, Publisher, and Windows Media Player.
Paul Henry, security and forensic analyst at Lumension, compared the security bulletins to the “12 Days of Christmas” song. “On this Patch Tuesday before Christmas, Microsoft gave to me: 3 critical patches, 11 important ones, and a patch for the Duqu vulnerability.”
The Duqu trojan received a lot of press last month, as Symantec revealed its discovery of the malware in eight countries. While at this point Duqu is only able to gather intelligence, Symantec judged that it is “essentially the precursor to a future Stuxnet-like attack” against industrial control systems.
Henry praised Microsoft for reducing the number of critical vulnerabilities that need to be patched.
“Clearly Microsoft has dramatically improved its software processes over recent years and it is reflected in the continued decline of critical vulnerabilities in the current codebase. The numbers speak volumes on the improvements from Microsoft. In 2006, 70% of security patches were critical; this year critical vulnerabilities have fallen to just 30%. In an otherwise volatile threat landscape, this is good news for everyone”, he said in an email.
Wolfgang Kandek, chief technology officer with Qualys, observed that five of the important bulletins affect Office 2003, 2007 and 2010 including all office versions for Macintosh as well. One of the remaining bulletins addresses Internet Explorer 6 through 9 and the remaining bulletins apply to all versions of Windows. “On the server side, both Windows 2003 and 2008 are vulnerable, but again the newer 2008 is better than 2003, with only one vulnerability applicable”, he added.