Microsoft: Duqu patched, bringing years total to 99 corrections

The last Patch Tuesday for the year has corrected the Duqu vulnerability. A total of nineteen security faults have been corrected, although twenty were pre-announced, as the SSL/TLS fault has been missed out. Overall, there were fewer critical faults in 2011.

Microsoft has released their final security updates for the year through their Patch Tuesday program. There are still a lot of bugs that have been patched, but overall fewer than initially planned.

A patch was retracted at the last minute which was supposed to correct the SSL 3.0/TLS 1.0 issue exploited by the BEAST tool (Browser Exploit Against SSL/TLS) which was divulged in September. Microsoft has decided not to go ahead with the patch after a problem with a third party application was found (reported by SAP), while pointing out that they have seen no exploitation of the fault in production.

There are still 19 vulnerabilities corrected through the publishing of 13 updates. Among these, three are deemed critical with two to be installed as a priority. The first is related to the 0-day Duqu vulnerability which remotely executes code. The fault is situated in the Windows core and can be exploited by TrueType character fonts embedded in documents. All versions of Windows are concerned by this fault which has been publically divulged.

The second is related to Windows Media Player, which allows an attacker to remotely execute code. To do this, the user has to download and open a specially designed .dvr-ms file. The update is critical for all currently supported releases of Windows - Windows XP, Vista and 7.

The other critical update (for Windows XP and Windows Server 2003) – although not as important – is a cumulative update to correct a binary behaviour problem specific  to Internet Explorer which applies kill bits for four third party Active X controls.

It should be noted that Internet Explorer also has a cumulative update released for it (important) which updates Internet Explorer 9 to a maintenance version 9.0.4. The behaviour of the XSS security filter is modified with this update.

The other updates are for products like Microsoft Office, Active Directory (except Windows Server 2008), OLE (Windows XP and Server 2003), with Microsoft Office 2010 also being on the affected products list.

For 2011, Microsoft has published a total of 99 security updates (including 13 released today) with 32% being critical (see picture). This is the lowest annual total since Patch Tuesday was started by Microsoft in 2004. Microsoft notes that since 2005, a slight increase in critical vulnerabilities has been seen.