Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, three of which are rated Critical in severity, and 10 Important.

These bulletins will increase protection by addressing 19 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these critical updates:

  • MS11-092 – Windows Media: Vulnerability In Windows Media Could Allow Remote Code Execution
  • MS11-087 – Windows: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

Why 13 bulletins and not 14, as we stated in the ANS announcement on Thursday? After that announcement, we discovered an apps-compatibility issue between one bulletin-candidate and a major third-party vendor. We’re currently working with that vendor to address the issue on their platform, after which we’ll issue the bulletin as appropriate. As ever, we’d much rather withdraw a potential bulletin than ship something that might inconvenience customers, however limited that inconvenience in scope. The issue addressed in that bulletin, which we have been monitoring and against which we have seen no active attacks in the wild, was discussed in Security Advisory 2588513.

In the video below, Jerry Bryant discusses this month's bulletins in further detail.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Deployment Priority

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

Exploitability Index

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the December security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, December 14, 2011 at 11 A.M. PST. Click here to register.

Thanks,
Angela Gunn
Trustworthy Computing.