Update: Microsoft plans 20 patches next week, will fix Duqu and BEAST bugs
Final Patch Tuesday of the year will deliver 14 security updates
Computerworld - Microsoft today announced it will issue 14 security bulletins next week to patch 20 vulnerabilities in Windows, Internet Explorer (IE), Office, and Windows Media Player.
Among the patches will be ones that plug the hole used by the Duqu intelligence-gathering Trojan, and fix the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 bug popularized three months ago by the BEAST, for "Browser Exploit Against SSL/TLS," hacking tool.
"They're all over the map," said Andrew Storms, director of security operations at nCircle Security, describing the wide range of Microsoft products slated for patching. "It looks like a big cleanup, where they're trying to get as much as they can off their plate before the end of the year."
Three of the 14 updates were tagged with Microsoft's "critical" label, the highest threat ranking in its four-step system, while the remaining 11 were marked "important," the second-highest rating.
Bugs in 10 of the updates could be exploited by attackers to remotely plant attack code on unpatched PCs, Microsoft said in its monthly advance notification that precedes each Patch Tuesday. A number of those bulletins were pegged as important, a move Microsoft makes when the bugs cannot easily be exploited because the pertinent components are not switched on by default or because defensive technologies like ASLR and DEP help protect users.
Storms pointed to the IE update as the one that users should apply as soon as possible, advice he -- and other researchers outside Microsoft -- regularly give when Microsoft patches its browser.
"What's kind of weird is that because of the every-other-month [IE patch] cycle, most people are online this month buying things, and not a lot of people will get around to patching," said Storms.
Although Microsoft has gotten into a six-times-a-year patch cadence for IE, Storms questioned whether it was smart to wait until the online spending frenzy to fix browser flaws.
"As we know, once the patches are out, the time necessary to find exploits for the bugs is shorter and shorter now," Storms said. "Why not bring the IE update back a month to November?"
The critical update labeled only as "Bulletin 1" should also be patched pronto, said Marcus Carey, a security researcher with Rapid7.
Carey correlated the versions of Windows affected by Bulletin 1 with those called out over a month ago in a Microsoft security advisory, and concluded that the update will patch the vulnerability exploited by Duqu, malware that some antivirus firms called a possible precursor to the next Stuxnet, the ultra-sophisticated worm that last year sabotaged Iran's nuclear fuel enrichment program.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!