Friday, December 16, 2011

December Windows Update - PATCH NOW! Also, Java updates are out.

The December Windows Updates were released on Tuesday, and one of them is rated PATCH NOW! by SANS as it is actively being exploited already.  The patches are widely documented both on user-friendly blogs and Microsoft's Technet blog.
ISC Diary | December 2011 Microsoft Black Tuesday Summary
Security Updates for Microsoft Windows, Java — Krebs on Security
Microsoft today issued software updates to patch at least 19 security holes in Windows, including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software.

The most talked-about vulnerability fixed in December’s patch batch is a critical flaw in all supported versions of Windows that’s been exploited for at least the past two months (and probably much longer) by the Duqu Trojan, a sophisticated information-stealer that experts say was an espionage tool constructed to extract sensitive data from industrial control systems.

The other two critical updates fix bugs in ActiveX and Windows Media Player. The remaining patches address less severe but still dangerous security holes in Windows, Microsoft Office and Microsoft Publisher. A more detailed breakdown of this month’s updates is available here. Patches are available via Windows Update.

Thirteen patches from Microsoft, including Duqu fix - SC Magazine US

Microsoft on Tuesday pushed out 13 patches, one fewer than anticipated, to address 19 security vulnerabilities, including a bug that allows the data-stealing Duqu trojan to spread.

Duqu, the so-called "son of Stuxnet" trojan, contains a dropper program that exploits the vulnerability, located in the Windows kernel, Microsoft revealed in early November. The software giant subsequently issued a workaround, and the issue now is corrected with bulletin MS11-087, rated "critical."

“The most important patch this month is the TrueType font parsing issue, which is the zero-day vulnerability exploited as part of the Duqu targeted attacks,” said Joshua Talbot, security intelligence manager of Symantec Security Response. “The Duqu malware didn't actually incorporate an exploit for this issue in its code, but the vulnerability was used by malicious email attachments to load Duqu onto targeted systems.”

Tuesday's other high-priority patch is MS11-092, also rated critical, which remedies a vulnerability in Windows Media that could permit remote code execution. The third and final critical fix, MS11-090, involves an ActiveX issue.

The security update also included a patch -- MS11-099 -- for three Internet Explorer (IE) vulnerabilities. A cumulative patch for the popular web browser typically ranks higher on Microsoft's deployment priority chart, but not this month.

The December bulletins are released - MSRC - Site Home - TechNet Blogs
13 Dec 2011 10:19 AM

Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, three of which are rated Critical in severity, and 10 Important.

These bulletins will increase protection by addressing 19 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these critical updates:

    MS11-092 – Windows Media: Vulnerability In Windows Media Could Allow Remote Code Execution
    MS11-087 – Windows: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
In other security news, Oracle has released security updates to both active versions of Java and the JRE. If you have Java installed, you need to update from 6u29 or 7u1 to 6u30 or 7u2.  You may have to update manually as the "Update" button on any Java 6u29 installation that I tested was not returning update 6u30 as I write this.  The installers can be downloaded from here: Java SE Downloads. Again the updates are widely documented on user-friendly blogs (and also in the extremely user-hostile Oracle release notes).
ISC Diary | Java 6u30 released
Oracle have released Java 6 Update 30 (6u30) today. The fixes are mostly of functional nature. As far as we can tell from the release notes, no gaping security craters had to be leveled out this time .. for a change. Two security related fixes are still noteworthy for developers, one affects the use of SSL (TLS_DH_anon_WITH_AES_128_CBC_SHA), the other is about the use of secure cookies in HTTPS when the applet gets invoked via JavaScript.  The full release information and list of fixes are available on Oracle's web site.
Oracle updates Java, Adobe patches ColdFusion - SC Magazine US
Oracle on Monday released an update to its Java software, fixing several security flaws.

The update, Java 6 Update 30 (6u30), contains mostly performance and stability fixes and is largely void of “gaping security craters .. for a change,” Daniel Wesemann, a handler for the SANS Internet Storm Center, wrote in a blog post Monday. It does, however, contain security fixes that impact developers, he said.

The update, for example, clears up an issue that caused Java 6 Update 29 to break SSL connectivity. Another problem involves secure cookies being sometimes dropped.

Security Updates for Microsoft Windows, Java — Krebs on Security
In other patch news, Oracle has released yet another update to its Java software. Oracle released updates to Java versions 6 and 7, but only the Java 6 Update 30 includes security fixes. It appears from a close examination of Oracle’s unbelievably labyrinthine security advisories that Update 30 addresses at least six separate security issues. Anyone who wants to read more about the specific details of the flaws fixed in this update without having wade through countless advisories can do so by clicking this link. While none of the flaws look especially bad, if you are using Java it’s time to either update it or dump it (I continually urge readers to do the latter). Updates are available from the Java console (available through the Windows Control Panel).
Oracle Java - 6u30-relnotes
Oracle Java - 7u2-relnotes

No comments: