13 pre-Christmas patches from Microsoft
The last Microsoft patch day of the year has 13 updates which fix a total of 19 holes in Windows, Internet Explorer and Office, and will give system administrators plenty of work to do. One update was postponed at short notice due to compatibility issues.
Included in the patch collection is the update that everyone has been waiting for as it corrects a critical flaw in the Windows kernel's code for processing True Type fonts (MS11-087). That flaw is already actively being exploited by, for example, the Duqu worm. The update for Windows Media player as described in MS11-092 is almost as critical as it allows specially crafted Digital Video Recording (DVR-MS) files to cause memory corruption issues in the Media Player that can be exploited to launch attacks.
Seven further updates are designed to prevent attackers from infecting systems by injecting arbitrary code (Remote Code Execution); however, most of them are only rated as "important" by Microsoft. This is because successful attacks via these holes, for instance in Office products, require users to open a specially crafted malicious file.
Microsoft has postponed one of the announced updates due to compatibility issues with third party products. The patch in question is designed to fix the SSL/TLS vulnerability that was disclosed in September; however, on the Microsoft Security Response Center's blog, Angela Gunn said that no active attacks that exploit this hole have so far been observed in the wild. Until the patch is released, probably next year, users can protect themselves by installing a fix-it. An overview of all the patches is available in Microsoft's Security Bulletin Summary for December 2011.