December 2011 Microsoft Black Tuesday Summary

Overview of the December 2011 Microsoft patches and their status.

#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	ISC rating(*)
#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	clients	servers
MS11-087	True Type Font Remote Execution Vulnerability (Replaces MS11-077)
MS11-087	True Type Font Kernel Drivers CVE-2011-3402	KB 2639417	actively exploited.	Severity:Critical Exploitability: 1	PATCH NOW!	Critical
MS11-088	Elevation of Privileges in Chinese version of Microsoft Office
MS11-088	Microsoft Office IME (Chinese) CVE-2011-2010	KB 2652016	no known exploits.	Severity:Important Exploitability: 1	Important	N/A
MS11-089	Remote Code Execution Vulnerability in Office (for OS X, replaces MS11-072 )
MS11-089	Microsoft Office (Windows and OS X) CVE-2011-1983	KB 2590602	no known exploits.	Severity:Important Exploitability: 1	Critical	N/A
MS11-090	Active X Kill Bits (Replaces MS11-027)
MS11-090	ActiveX CVE-2011-3397	KB 2618451	no known exploits.	Severity:Critical Exploitability: 1	Critical	Important
MS11-091	Remote Execution in Microsoft Publisher (Replaces MS10-103)
MS11-091	Microsoft Publisher CVE-2011-1508 CVE-2011-3410 CVE-2011-3411 CVE-2011-3412	KB 2607702	vuln. is disclosed.	Severity:Important Exploitability: 1,1,2	Critical	N/A
MS11-092	Remote Execution in Windows Media
MS11-092	Windows Media CVE-2011-3401	KB 2648048	no known exploits.	Severity:Critical Exploitability: 1	Critical	N/A
MS11-093	OLE RemoteCode Execution Vulnerability
MS11-093	OLE CVE-2011-3400	KB 2624667	no known exploits.	Severity:Important Exploitability: 1	Critical	N/A
MS11-094	PowerPoint Remote Execution Vulnerability (Replaces MS11-036 MS11-022 MS11-072)
MS11-094	Powerpoint CVE-2011-3400	KB 2639142	no known exploits.	Severity:Important Exploitability: 2	Critical	N/A
MS11-095	Vulnerability in Active Directory Could Allow Remote Code Execution (Replaces MS11-086)
MS11-095	Active Directory, Active Directory Application Mode, and Lightweight Directory Service CVE- 2011-3406	KB 2640045	no known exploits.	Severity:Important Exploitability: 1	Important	Important
MS11-096	Vulnerability in Microsoft Excel Could Allow Remote Code Execution (Replaces MS11-072)
MS11-096	Excel 2003 CVE-2010-2568	KB 2286198	Exploit code likely.	Severity:Important Exploitability: 1	Critical	Important
MS11-097	Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (Replaces MS11-010)
MS11-097	Run-Time Subsystem CVE-2011-3408	KB 2620712	no known exploit.	Severity:Important Exploitability: 1	Important	Important
MS11-098	Vulnerability in Windows Kernel Could Allow Elevation of Privilege (Replaces MS10-047 MS10-021 MS11-068)
MS11-098	Windows Kernel CVE-2011-2018	KB 2633171	no known exploit.	Severity:Important Exploitability: 1	Important	Important
MS11-099	Cumulative Security Update for Internet Explorer
MS11-099	Internet Explorer CVE-2011-1992 CVE-2011-2019 CVE-2011-3404	KB 2618444	no known exploit.	Severity:Important Exploitability: 3,1	Important	Important

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Defense Forum & Training

Johannes

3950 Posts
ISC Handler

Dec 13th 2011

Johannes, thanks again for the overview!

I found an improvement though: somehow you've partially mixed up MS11-096 (Excel, KB2640241, important) with MS10-046 (Shell, KB2286198, critical).

MS11-096 applies to Excel from Office 2003 SP3 (and probably all older versions). Although a crafted Excel file sent by e-mail or provided on a web site allows for remote code execution (user interaction required), MS11-096 is rated "important" by Microsoft.

Erik van Straten

126 Posts

You can't really use the Microsoft rating for much, this is why the ISC rating is much better.
The rating from Microsoft is dependent on how important they think the product is. Office 2003 is old, so it can probably never get any more critical exploits. It is important to keep this in mind when reading the MS rating.
Old or small market products (BizTalk, Commerce Server etc) will probably not get critical unless their is an active exploit in the wild. They do not want to scare their mainstream customers.

Povl H.

74 Posts

BTW: Microsoft only says MS11-087 is moderate. This is because they think the likelihood of a user downloading/double-clicking a file/attachment is close to none.
Exploits in the wild, current attack vectors and attack runs means little to MS.

Povl H.

74 Posts

Does anyone think MS11-095 should be rated High, at least for Domain controllers?

Remote code execution on a DC with “Exploit code likely” <- read reliably exploitable. Or is just the fact that some domain credentials are needed and that there may be a firewall somewhere reason to rate it only important? Interested to see what your thoughts are on this.
Sherb

Povl H.
2 Posts

One tidbit regarding MS11-095 can be found at http://blogs.technet.com/b/srd/archive/2011/12/13/assessing-the-risk-of-the-december-2011-security-updates.aspx . Specifically, under Notes they mention, "Not all domain controllers are vulnerable. Attacker can only trigger vulnerability on a DC’s that return a certain sequence of content to an LDAP query." So perhaps that mitigating factor is why they ranked it a moderate. I've been watching the SRD blog in hopes they'll post some interesting explanation of the whole thing that might prove illuminating and edifying. ;)

Anonymous