Microsoft Patches Duqu, Leaves BEAST


Microsoft users, it's time to update your systems for the final Patch Tuesday security release of 2011. This month's patch haul includes 13 bulletins, one less than originally expected.

"We initially expected 14 bulletins for this December Patch Tuesday; however the much awaited fix for 'The Beast' SSL issue was not released today after all," Paul Henry, security and forensic analyst for Lumension said in an email to "Given the extensive regression testing Microsoft does across various configurations, my assumption is that additional testing is likely required for an issue as complex as this."

The BEAST SSL attack was first exposed in September as a possible threat that takes advantage of of weaknesses in cipher block chaining (CBC). At the time of the initial disclosure, Microsoft spokesperson Jerry Bryant told that Microsoft considered the issue to be a low risk.

While Microsoft is not addressing the BEAST SSL issue this month, they are addressing a previously disclosed flaw, related to the Duqu malware. Duqu was revealed in October as being a Stuxnet-like espionage effort powered by malware. In early November, Microsoft admitted that Duqu was enabled by a zero day flaw in Windows.

"The vulnerability could allow remote code execution if a user views a specially crafted Web page that uses a specific binary behavior in Internet Explorer," Microsoft's MS11-090 security advisory warns. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

The MS11-088 advisory is another critical vulnerability, this time related to a remote code execution risk in Windows Media Player and Windows Media Center.

"The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file," Microsoft stated. "In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so."

Beyond the ActiveX kill bits vulnerability, on the browser front the December Patch update provides three security fixes that Microsoft is rolling up into MS11-099 titled, 'Cumulative Security Update for Internet Explorer."

"The most severe vulnerability could allow remote code execution if a user opens a legitimate HyperText Markup Language (HTML) file that is located in the same directory as a specially crafted dynamic link library (DLL) file," Microsoft stated.

Overall 2011 was a busy year for Microsoft security, issuing 99 security bulletins in total. While the grand total is a big number, Mike Reavey, Senior Director of the Microsoft Security Response Center noted that the number of critical issues is on the decline. According to Reavey, critical vulnerabilities are now at the lowest levels since 2005.

"The fact that we’re seeing lower percentages of Critical issues and bulletins year-over-year demonstrates progress made by the product groups in creating more secure software," Reavey blogged.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.