Tis the season of good friends, good food, good conversation and of course patching your network. Today marks the final Patch Tuesday of 2011, and it’s a big one. Microsoft is giving the gift of 13 security bulletins addressing 19 vulnerabilities to add to the stress of this holiday season. Not to be outdone by Microsoft, other software vendors such as Google and Adobe are also joining in on the season of giving by releasing updates of their own. This combination of Microsoft and non-Microsoft patch releases will definitely keep us busy this season.
On the Microsoft side, there are two bulletins administrators should look to patch immediately. MS11-087 fixes a zero-day vulnerability in the Windows Kernel-Mode Drivers. Microsoft released Security Advisory 2639658 on November 3, 2011 for this vulnerability. This Security Advisory was released just before the November 2011 Patch Tuesday. There was speculation at the time that Microsoft would patch this vulnerability in the November 2011 Patch Tuesday release. Exploit code for this vulnerability was published and Microsoft received reports of limited attacks against this vulnerability. But, Microsoft did not see wide spread attacks against the zero-day vulnerability and this patch did not make it into the November release cycle. This allowed Microsoft to release the corresponding Security Bulletin during today’s Patch Tuesday. As with any zero-day vulnerability, it is critical to patch your systems as soon as possible. To date the vulnerability has been exploited a limited numbers times, but the possibility of a wide spread attack is always greater with zero-day vulnerabilities.
With MS11-087, administrators may have applied a workaround as stated in the Security Advisory released last month. This workaround denied all access to a specific vulnerable DLL on the system. You do not need to unapply the workaround to apply the patch. But, it is advised that you unapply the workaround after applying the patch to restore functionality to the system. If the workaround is left in place, users may not be able to see all fonts on a system, and this could lead to an uptick in support calls.
The next bulletin administrators should look at patching as soon as possible is the bi-monthly cumulative update for Internet Explorer. MS11-099 fixes multiple vulnerabilities in the browser. Although none of the vulnerabilities are publicly known or actively being attacked, any browser is a prime target for attackers.
There is an important note regarding Security Bulletin MS11-088 that administrators should be aware of. This bulletin is only available on the Microsoft Download Center. This means administrators must manually find the affected product on their network and manually apply the patch. This bulletin affects IME for Chinese Office installations. The Office installation must be Chinese. Any other installation of Office in a language other than Chinese is not affected unless they have been installed with the Chinese Pinyin IME component.
As a final holiday gift from Microsoft, their Advanced Notification for this Patch Tuesday stated there would be 14 bulletins released this month, but they have only released 13 bulletins. Obviously one of the bulletins needed to be pulled from release due to quality issues. We will continue to monitor Microsoft to see why one bulletin is missing from today’s release.
On the non-Microsoft side, Google has released a new version of their Chrome browser. This security update addresses 15 vulnerabilities as well as new features.
Adobe is releasing multiple bulletins for their products. Adobe security bulletin APSB11-29 addresses two vulnerabilities in their ColdFusion product. In addition, Adobe is patching their Adobe Reader/Acrobat version 9 products today. Adobe announced last week they would be addressing a zero-day vulnerability in Reader and Acrobat today in version 9 only. Adobe Acrobat and Reader version 10 also contain the software vulnerability. But due to a protected mode in Acrobat and Reader version 10, an attacker cannot exploit the vulnerability. Adobe will patch this version of Reader and Acrobat during their regularly scheduled quarterly update during the January 2012 Patch Tuesday.
Apple has released a new version of their iTunes product with iTunes 10.5.2. This update is a non-security update.
VMware is also releasing a new version of their MozyPro backup software. MozyPro 18.104.22.168 is a non-security update.
And Oracle has joined the list of other software vendors providing updates today by releasing a new version of their Java product. Java 6 update 30 is a non-security update. This update is currently only available for JDK download. We will have to see if Oracle makes this version available to the public on the java.com webpage later today.
I will be reviewing the November 2011 in depth during my monthly Patch Tuesday webinar tomorrow at 11am CDT. You can register to attend the live webinar here.
– Jason Miller