Microsoft Patch Tuesday – December 2011

“From Redmond with Love”

Recently, I had a chance to talk with Katie Moussouris, leader of the Security Community Outreach and Strategy team at Microsoft. The interview helped me realize that Microsoft has a lot to offer when it comes to not just fixing vulnerabilities in their own products, but other companies’ software as well:

• Microsoft has a team of people on the MSVR (Microsoft Vulnerability Research) who look for vulnerabilities in third-party software and help the third-parties fix the issues.
• MSVR practices Coordinated Vulnerability Disclosure, a term coined by the team and encompasses a philosophy for vulnerability disclosure (and one that omits the word “responsible” due to its misconstrued meanings).
• Microsoft is showing others how to create more secure software through their SDL program (I hope Adobe is adopting this, and if they have, their implementation is falling short).
• Microsoft has attempted to tell us where they document security vulnerabilities found internally, but this article seems to talk about variants, which are an off-shoot of the publicly disclosed vulnerabilities, not new vulnerabilities discovered internally by Microsoft. However, I am told that Microsoft does in fact document internally discovered vulnerabilities, but it’s not as widely publicized as the monthly bulletins.
• If you have the skills to come up with the next latest and greatest memory protection design, Microsoft could give you as much as $200,000 as part of the Blue Hat Prize contest.

One thing is for sure, I don’t believe that Microsoft isn’t trying to create more secure software. In fact, this month’s MSRC post shows that critical vulnerabilities reported by outside parties continue to be on the decline. Some may argue that it’s because people are not disclosing the vulnerabilities to Microsoft, and while that could be true, they deserve some of the credit for making efforts to improve software security.

Of course, there are more gifts from Microsoft this month in the form of 13 new security bulletins. To help evaluate the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable’s Research team has published Nessus plugins for each of the security bulletins issued this month:

• MS11-087 – Nessus Plugin ID 57273 (Credentialed Check)
• MS11-088 – Nessus Plugin ID 57274 (Credentialed Check)
• MS11-089 – Nessus Plugin ID 57275 (Credentialed Check)
• MS11-090 – Nessus Plugin ID 57276 (Credentialed Check)
• MS11-091 – Nessus Plugin ID 57277 (Credentialed Check)
• MS11-092 – Nessus Plugin ID 57278 (Credentialed Check)
• MS11-093 – Nessus Plugin ID 57279 (Credentialed Check)
• MS11-094 – Nessus Plugin ID 57280 (Credentialed Check)
• MS11-095 – Nessus Plugin ID 57281 (Credentialed Check)
• MS11-096 – Nessus Plugin ID 57282 (Credentialed Check)
• MS11-097 – Nessus Plugin ID 57283 (Credentialed Check)
• MS11-098 – Nessus Plugin ID 57284 (Credentialed Check)
• MS11-099 – Nessus Plugin ID 57285 (Credentialed Check)
• MS11-089, MS11-094 & MS11-096 – Nessus Plugin ID 57286 (Vulnerabilities in Microsoft Office Could Allow Remote Code Execution, combined plugin for Mac OS X)

Resources

• Microsoft Security Bulletin Summary for December 2011
• OSVDB Microsoft Bulletins – Complete Reference
• A look back at 2011’s security landscape