December 6, 2016

Microsoft Fixes Duqu Vulnerability But Drops SSL Changes at Last Minute

(LiveHacking.Com) – As expected Microsoft has released its Patch Tuesday security updates for December. Originally Microsoft were going to release 14 bulletins but instead released only 13. The missing update was intended to make changes to the way Windows works with SSL/TLS to try and minimize the recently discovered weaknesses of the security protocol as highlighted by the BEAST (Browser Exploit Against SSL/TLS) hacking tool. However Microsoft discovered some compatibility issues with their changes and “a major third-party vendor.” Microsoft are “working with that vendor to address the issue.”

Microsoft however did fix the kernel-mode driver vulnerability that allows the Duqu malware to spread. The vulnerability allows remote code execution if a user opens a specially crafted document or visits a malicious Web page that embeds TrueType font files.

Microsoft also fixed a vulnerability in Windows Media Player and Windows Media Center that can allow remote code execution. Bulletin MS11-092  resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so.

The other “Critical” level update is for a  remote code execution vulnerability if a user views a specially crafted Web page that uses a specific binary behavior in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.

 

Microsoft to Fix 20 Vulnerabilities Next Tuesday

(LiveHacking.Com) – Microsoft will fix 20 vulnerabilities for December’s Patch Tuesday. According to the Microsoft security bulletin advance Notification for December 2011, the Redmond company will release 14 bulletins addressing 20 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Microsoft Publisher, and Windows Media Player.

Although Microsoft doesn’t release details of the bulletins until they are posted, pundits are suggesting that among the patches will be a fix for the vulnerability that allows the Duqu intelligence-gathering Trojan to spread, and a fix for the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 flaws popularized a few months ago by the BEAST (Browser Exploit Against SSL/TLS) hacking tool.

Three of the 14 bulletins are marked as “critical” (the highest threat ranking) and the remaining 11 are tagged as “important” (the second-highest rating). Release of the bulletin is scheduled for Tuesday, December 13, 2011.