Update: Microsoft plans 20 patches next week, will fix Duqu and BEAST bugs

Final Patch Tuesday of the year will deliver 14 security updates

Microsoft today announced it will issue 14 security bulletins next week to patch 20 vulnerabilities in Windows, Internet Explorer (IE), Office, and Windows Media Player.

Among the patches will be ones that plug the hole used by the Duqu intelligence-gathering Trojan, and fix the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 bug popularized three months ago by the BEAST, for "Browser Exploit Against SSL/TLS," hacking tool.

"They're all over the map," said Andrew Storms, director of security operations at nCircle Security, describing the wide range of Microsoft products slated for patching. "It looks like a big cleanup, where they're trying to get as much as they can off their plate before the end of the year."

Three of the 14 updates were tagged with Microsoft's "critical" label, the highest threat ranking in its four-step system, while the remaining 11 were marked "important," the second-highest rating.

Bugs in 10 of the updates could be exploited by attackers to remotely plant attack code on unpatched PCs, Microsoft said in its monthly advance notification that precedes each Patch Tuesday. A number of those bulletins were pegged as important, a move Microsoft makes when the bugs cannot easily be exploited because the pertinent components are not switched on by default or because defensive technologies like ASLR and DEP help protect users.

Storms pointed to the IE update as the one that users should apply as soon as possible, advice he -- and other researchers outside Microsoft -- regularly give when Microsoft patches its browser.

"What's kind of weird is that because of the every-other-month [IE patch] cycle, most people are online this month buying things, and not a lot of people will get around to patching," said Storms.

Although Microsoft has gotten into a six-times-a-year patch cadence for IE, Storms questioned whether it was smart to wait until the online spending frenzy to fix browser flaws.

"As we know, once the patches are out, the time necessary to find exploits for the bugs is shorter and shorter now," Storms said. "Why not bring the IE update back a month to November?"

The critical update labeled only as "Bulletin 1" should also be patched pronto, said Marcus Carey, a security researcher with Rapid7.

Carey correlated the versions of Windows affected by Bulletin 1 with those called out over a month ago in a Microsoft security advisory, and concluded that the update will patch the vulnerability exploited by Duqu, malware that some antivirus firms called a possible precursor to the next Stuxnet, the ultra-sophisticated worm that last year sabotaged Iran's nuclear fuel enrichment program.

"The main reason why I think this is the Duqu zero-day patch is that [Bulletin 1] requires a restart, which indicates it's a kernel-level bug that is being patched, and it affects all the same operating systems as in the [November] advisory," said Carey in an email.

Storms also expected that Microsoft would patch the TrueType parsing engine vulnerability identified by Microsoft as the bug Duqu leveraged in its attacks, which began months ago and stopped only in October.

He also anticipated an update to address long-standing issues in SSL 3.0 and TSL 1.0 within Windows. Microsoft released a security advisory in September on the bug after a pair of researchers crafted BEAST, the first-ever practical exploit of the years-old flaw.

Several hours after issuing the advance notification, Jerry Bryant, a group manager in Microsoft's Trustworthy Computing Group, affirmed that the updates will patch the Duqu and BEAST bugs.

"We can confirm that the issues described in Security Advisory 2588513 and 2639658 will be addressed in the December security update cycle," Bryant said in an email.

The 14 updates slated for next week are three off the record of 17 set in December 2010 and repeated in April 2011.

The total bulletin count for the year -- 100, or 5.6% fewer -- was also down from 2010, and the total number of vulnerabilities patched in those updates was 237, or 10.7% less than last year's record 266.

Mike Reavey, the director of the Microsoft Security Response Center (MSRC), will discuss the year's bulletins next week during the company's usual Patch Tuesday video announcement, but Storms expects Reavey won't focus on the numbers.

"I think they'll talk about how the severity of vulnerabilities has decreased," said Storms. "There do seem to have been fewer criticals than in the year prior."

Storms also pointed out that Microsoft has gone the entire year without issuing an emergency, or "out-of-cycle" update, while it shipped several in 2010.

Microsoft will release the 14 updates at approximately 1 p.m. ET on Dec. 13.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

See more articles by Gregg Keizer.

Join the discussion
Be the first to comment on this article. Our Commenting Policies