Hi everyone. Mike Reavey from the MSRC here. Today we're releasing our Advance Notification Service for the December 2010 security bulletin release. As we do every month, we've given information about the coming December release and provided links to detailed information so you can plan your deployment by product, service pack level, and severity.  However, since this is the last release for the year, I thought it would also be good time to take a look back at the security releases we've had over the last 12 months.

First, for December we're releasing 17 updates addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange. Of the 17, two bulletins are rated Critical, 14 are rated Important, and one is rated Moderate. As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Looking back over 2010, that brings the total bulletin count to 106, which is more bulletins than we have released in previous years. This is partly due to vulnerability reports in Microsoft products increasing slightly, as indicated by our latest Security Intelligence Report. This isn't really surprising when you think about product life cycles and the nature of vulnerability research. Microsoft supports products for up to ten years. (One of our most popular operating systems from the turn of the century, XP SP2, reached its end-of-support life in mid-2010, in fact.) Vulnerability research methodologies, on the other hand, change and improve constantly. Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we're able to release a comprehensive security update before the issue is broadly known.

At the end of the day, Microsoft's primary focus is to release reliable, high-quality updates to our customers.  Feedback from customers indicate that this is the most important factor in minimizing disruption and allowing them to deploy our updates quickly - even more important than the overall number of security updates. 

Back to this month's bulletins. We're addressing two issues this month that have attracted interest recently. First, we will be closing the last Stuxnet-related issues this month. This is a local Elevation of Privilege vulnerability and we've seen no evidence of its use in active exploits aside from the Stuxnet malware. We're also addressing the Internet Explorer vulnerability described in Security Advisory 2458511. Over the past month, Microsoft and our MAPP partners actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts we monitored remained pretty low. Furthermore, customers running Internet Explorer 8 remained protected by default due to the extra protection provided by Data Execution Prevention (DEP). On that note, I want to point you to a new post on the Security Research & Defense team blog describing the effectiveness of DEP and ASLR against the types of exploits we see in the wild today.  

We encourage customers to review this month's bulletins and to prioritize their installation according to the needs of their environment.  (And, of course, for most home users these updates will be installed automatically.)  If you have questions, join us next Wednesday (December 15) when Jonathan Ness and Jerry Bryant will host a live webcast covering the December bulletins. They'll go into detail about the release and answer your bulletin-related questions live on the air. Register at the link below:

Date: Wednesday, December 15
Time: 11:00 a.m. PST (UTC -8)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID= 1032454441

Thanks,

Mike Reavey
Director, MSRC