ISC Diary | December 2011 Microsoft Black Tuesday SummaryIn other security news, Oracle has released security updates to both active versions of Java and the JRE. If you have Java installed, you need to update from 6u29 or 7u1 to 6u30 or 7u2. You may have to update manually as the "Update" button on any Java 6u29 installation that I tested was not returning update 6u30 as I write this. The installers can be downloaded from here: Java SE Downloads. Again the updates are widely documented on user-friendly blogs (and also in the extremely user-hostile Oracle release notes).
Security Updates for Microsoft Windows, Java — Krebs on SecurityMicrosoft today issued software updates to patch at least 19 security holes in Windows, including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software.Thirteen patches from Microsoft, including Duqu fix - SC Magazine US
The most talked-about vulnerability fixed in December’s patch batch is a critical flaw in all supported versions of Windows that’s been exploited for at least the past two months (and probably much longer) by the Duqu Trojan, a sophisticated information-stealer that experts say was an espionage tool constructed to extract sensitive data from industrial control systems.
The other two critical updates fix bugs in ActiveX and Windows Media Player. The remaining patches address less severe but still dangerous security holes in Windows, Microsoft Office and Microsoft Publisher. A more detailed breakdown of this month’s updates is available here. Patches are available via Windows Update.
Duqu, the so-called "son of Stuxnet" trojan, contains a dropper program that exploits the vulnerability, located in the Windows kernel, Microsoft revealed in early November. The software giant subsequently issued a workaround, and the issue now is corrected with bulletin MS11-087, rated "critical."“The most important patch this month is the TrueType font parsing issue, which is the zero-day vulnerability exploited as part of the Duqu targeted attacks,” said Joshua Talbot, security intelligence manager of Symantec Security Response. “The Duqu malware didn't actually incorporate an exploit for this issue in its code, but the vulnerability was used by malicious email attachments to load Duqu onto targeted systems.”
Tuesday's other high-priority patch is MS11-092, also rated critical, which remedies a vulnerability in Windows Media that could permit remote code execution. The third and final critical fix, MS11-090, involves an ActiveX issue.
The security update also included a patch -- MS11-099 -- for three Internet Explorer (IE) vulnerabilities. A cumulative patch for the popular web browser typically ranks higher on Microsoft's deployment priority chart, but not this month.
The December bulletins are released - MSRC - Site Home - TechNet Blogs13 Dec 2011 10:19 AM
Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, three of which are rated Critical in severity, and 10 Important.
These bulletins will increase protection by addressing 19 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these critical updates:
MS11-092 – Windows Media: Vulnerability In Windows Media Could Allow Remote Code Execution
MS11-087 – Windows: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
The update, Java 6 Update 30 (6u30), contains mostly performance and stability fixes and is largely void of “gaping security craters .. for a change,” Daniel Wesemann, a handler for the SANS Internet Storm Center, wrote in a blog post Monday. It does, however, contain security fixes that impact developers, he said.In other patch news, Oracle has released yet another update to its Java software. Oracle released updates to Java versions 6 and 7, but only the Java 6 Update 30 includes security fixes. It appears from a close examination of Oracle’s unbelievably labyrinthine security advisories that Update 30 addresses at least six separate security issues. Anyone who wants to read more about the specific details of the flaws fixed in this update without having wade through countless advisories can do so by clicking this link. While none of the flaws look especially bad, if you are using Java it’s time to either update it or dump it (I continually urge readers to do the latter). Updates are available from the Java console (available through the Windows Control Panel).Oracle Java - 6u30-relnotes
Oracle Java - 7u2-relnotes