Microsoft users, it’s time to update your systems for the final Patch Tuesday security release of 2011. This month’s patch haul includes 13 bulletins, one less than originally expected. “We initially expected 14 bulletins for this December Patch Tuesday; however the much awaited fix for ‘The Beast’ SSL issue was not released today after all,” Paul Henry, security and forensic analyst for Lumension said in an email to InternetNews.com. “Given the extensive regression testing Microsoft does across various configurations, my assumption is that additional testing is likely required for an issue as complex as this.” The BEAST SSL attack was first exposed in September as a possible threat that takes advantage of of weaknesses in cipher block chaining (CBC). At the time of the initial disclosure, Microsoft spokesperson Jerry Bryant told InternetNews.com that Microsoft considered the issue to be a low risk. While Microsoft is not addressing the BEAST SSL issue this month, they are addressing a previously disclosed flaw, related to the Duqu malware. Duqu was revealed in October as being a Stuxnet-like espionage effort powered by malware. In early November, Microsoft admitted that Duqu was enabled by a zero day flaw in Windows. “The vulnerability could allow remote code execution if a user views a specially crafted Web page that uses a specific binary behavior in Internet Explorer,” Microsoft’s MS11-090 security advisory warns. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Read the full story at eSecurityPlanet:
Microsoft Patches Duqu, Leaves BEAST
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.