In the final Patch Tuesday of 2011 Microsoft released 13 security bulletins, three of them classified as critical, to fix 19 vulnerabilities affecting desktop versions of Windows, Windows Server 2003, Office, Internet Explorer and Windows Media Player.
The three critical bulletins, which Microsoft officials advise should be applied immediately, involve remote code execution vulnerabilities in Windows desktop. One of the updates resolves a privately reported vulnerability that could allow remote execution if a user were to view “a specifically crafted Web page that employs binary behavior in Internet Explorer,” according to company officials.
Those users who have been granted fewer rights on the system are likely to be less impacted than those with administrative rights. This update also contains kill bits for four different third-party Active X controls, officials said.
Another security bulletin that addresses a privately reported vulnerability allows remote control execution if users open a file containing a “specifically crafted” OLE object. Hackers successfully exploiting this flaw can gain the same rights as the local user. This vulnerability, rated as “important” however, does not affect Windows Server 2008, Windows Server 2008 R2, Windows 7 and Windows Vista, according to Microsoft.
A third privately reported vulnerability, also classified as “important, allows hackers to remotely execute code in Active Directory, Active Directory Application Mode (ADAM) and Active Directory Lightweight Directory Service.” In order to exploit this flaw attackers must acquire credentials to log on to an Active Directory domain.
Microsoft did address the vulnerability that could be exploited by the Duqu intelligence-gathering Trojan. The company had put out an advisory about this flaw in November after it was discovered what some industry observers called a “possible precursor to the next Stuxnet,” a sophisticated worm that served to sabotage Iran’s nuclear program in 2010.
In addition to the security bulletins, Microsoft also released an enhanced version of its Windows Malicious Software Removal Tool available on Windows Update, Windows Server Update Services and the company’s Download Center.
For more technical information about December’s security bulletins, users can visit Microsoft’s Security Techcenter.