News

Microsoft prepares for 14 bulletins, no indication of Duqu repair

Hillary O'Rourke, Contributor

Microsoft said it would update 14 security bulletins, addressing 20 vulnerabilities, three of which are rated “critical,” for its December 2011 Patch Tuesday. The company did not announce whether it would repair a zero-day vulnerability

    Requires Free Membership to View

being exploited by the Duqu Trojan.

The software giant issued its advance notification today, preparing to tackle flaws affecting Microsoft Windows, Office, Internet Explorer, Microsoft Publisher and Windows Media Player. The security bulletins are slated to be released December 13.

Of the three critical bulletins, only one requires a restart while the remaining two may require a restart. All three affect Microsoft Windows and could allow remote code execution if left unpatched. Researchers have been awaiting a Windows kernel repair which would block Duqu from using the vulnerability to execute on sensitive systems. Engineers were still working on a patch in November.  

The remaining 11 security bulletins are rated “important.” Five of them require a restart while six may require a restart, Microsoft said.

The notification shows the majority of the important bulletins could allow remote code execution, one could enable disclosure of information and three, if left unpatched, could allow an elevation of privilege.

Along with the monthly advance notification, Microsoft also pointed out an update to its Microsoft Active Protections Program (MAPP). In a blog post, the company explained the update should provide customers with greater transparency, showing how MAPP partners use the information when Microsoft releases security advisories.

According to the post, Microsoft has developed a new process in which it lists its MAPP partners who have confirmed that they released protection within 96 hours after the advisory release on a special web page.

For its November Patch Tuesday, the software giant tackled four security bulletins in Microsoft Windows, only one rating “critical.” The company didn’t release any Duqu zero-day patches as expected but did issue a workaround the week before.