Microsoft on Tuesday released 13 security bulletins, including three for critical flaws in Windows Media and in the Windows kernel-mode drivers. The company had planned on releasing 14 bulletins in December’s Patch Tuesday shipment, but officials said that one of the planned fixes was causing a compatibility problem with a third-party vendor’s products and is being held until that issue is remedied.
One of the flaws fixed in the December release is the Windows zero-day flaw exploited by Duqu. That vulnerability, which lies in the Windows TrueType font parsing engine and exploiting it could lead to remote code execution. Microsoft has been working on the fix for this vulnerability for some time and officials recommend that users install the patch immediately.
“This vulnerability has been used to drop the Duqu malware. An insufficient bounds check within the font parsing subsystem of win32k.sys could potentially allow a malformed font to corrupt ring0 memory. In the case of the Duqu dropper, a malformed font embedded inside an Office Word document triggered this memory corruption vulnerability to jump to attacker shellcode,” Microsoft’s Jonathan Ness and Chengyun Chu wrote in an analysis of the bug and its fix.
“To be clear, Duqu did not exploit the browser-based attack vector. As far as we know, this vulnerability has only been exploited via a custom font embedded within an Office document. However, attackers could potentially construct a malicious font in such a way that it could be embedded in a webpage.”
In addition to the two critical vulnerabilities fixed by Microsoft this month, the company also released patches for 10 vulnerabilities rated important, all but three of which can be used for remote code execution.
Microsoft also released some data on the relative number of critical vulnerabilities that it has patched during each of the last eight years, showing that the percentage of critical bugs began to level off in 2006. There was a slight increase again in 2009, but in the two years since then, the percentage of all bulletins that are rated as critical has dropped considerably. In 2001, the number of critical bugs accounted for 32 percent of all of Microsoft’s bulletins.
“Even though there are fewer Critical-class security updates year-over-year, we know that any update has the potential to be disruptive for customers. And so we work hard to make our update process as smooth and transparent as possible for customers – with no surprises. As part of that commitment, in 2011 we were able to address reported security issues effectively without resorting to emergency releases outside of the regular scheduled monthly releases,” Microsoft’s Mike Reavey said in a blog post.
“We understand the disruption that these “out-of-cycle” releases create for customers, and we take the decision to release an update out of cycle very seriously. Effective coordination with product teams, greater use of threat telemetry, the ability to release workarounds, and the ability to release defenses through partners like those in Microsoft’s Active Protection Program (MAPP) have all helped us to release all our 2011 bulletins in the usual monthly process. We’re glad about that, even though we will always reserve the right to release out-of-cycle if the situation merits it.”
Users who have automatic updates enabled on their machines should get the new patches within the next few hours.