Assessing the risk of the December 2011 security updates - Security Research & Defense - Site Home

Today we released thirteen security bulletins. Three have a maximum severity rating of Critical with the other ten having a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin	Most likely attack vector	Max Bulletin Severity	Max Exploit-Ability Index	Likely first 30 days impact	Platform mitigations and key notes
MS11-087 (TTF Font parsing)	Victim opens a malicious Office document or browses to a malicious website.	Critical	1	Attacks seen in the wild have exploited this vulnerability to install Duqu malware.	Browser-based attack vector more difficult to both trigger and exploit than the Office document attack vector. Successful exploitation results in code running as SYSTEM. See this SRD blog post for more information about attack vectors and workarounds.
MS11-092 (Windows Media)	Victim browses to a malicious website that offers malformed DVR-MS media file.	Critical	1	Victim browses to a malicious website that offers malformed DVR-MS media file.
MS11-090 (Killbits)	Victim browses with IE6 to a malicious website.	Critical	1 (IE6 only)	Likely to see exploit code developed for IE6 in next 30 days.	IE7 and later have disabled this particular binary behavior already. See this SRD blog post for more information about this binary behavior and why we are disabling it via a killbit security update.
MS11-089 (Office)	Victim opens a malicious DOCX file.	Important	1	Likely to see exploit code developed in next 30 days.	Affects new Open XML-based file format. Therefore FileBlock and MOICE are not valid workarounds.
MS11-096 (Excel)	Victim opens a malicious XLS file.	Important	1	Likely to see exploit code developed in next 30 days.
MS11-094 (PowerPoint)	Victim opens a malicious PPT file.	Important	1	Likely to see exploit code developed for CVE-2011-3396, a DLL preloading issue.
MS11-099 (Internet Explorer)	None of the issues addressed in this update could result in remote code execution. The most likely-to-be-attacked issue could facilitate an XSS attack: victim would browse to a malicious website which may have access to information that the victim would automatically send to a different domain.	Important	1	Likely to see exploit code developed for CVE-2011-2019, a DLL preloading issue.
MS11-095 (Active Directory)	Attacker able to authenticate to domain controller sends valid LDAP request. The DC generating the response could potentially allow malicious code to run in the context of LSASS (SYSTEM).	Important	1	Likely to see exploit code developed in next 30 days.	Not all domain controllers are vulnerable. Attacker can only trigger vulnerability on a DC’s that return a certain sequence of content to an LDAP query.
MS11-091 (Publisher)	Victim opens a malicious PUB file.	Important	1	Likely to see exploit code developed in next 30 days for older versions of Publisher.	Publisher 2010 not affected.
MS11-098 (Kernel)	Attacker logged-in to a machine locally exploits vulnerability to elevate to a higher privilege level.	Important	1	Likely to see exploit code developed in next 30 days.
MS11-097 (CSRSS)	Attacker logged-in to a machine locally exploits vulnerability to elevate to a higher privilege level.	Important	1	Likely to see exploit code developed in next 30 days.
MS11-088 (Office IME)	Attacker logged-in interactively to a machine exploits vulnerability to elevate to a higher privilege level.	Important	1	Likely to see exploit code developed in next 30 days.	Only affects systems where Microsoft Pinyin Chinese IME is installed.
MS11-093 (OLE32)	Victim right-clicks on a malicious Office document and chooses to display its Properties.	Important	1	Likely to see exploit code developed in next 30 days.

Thanks to the entire MSRC Engineering team for the hard work on these cases!!

- Jonathan Ness, MSRC Engineering