Microsoft Readies Three Critical Patches
Microsoft issued a pre-patch bulletin Thursday, saying the releases would be available Dec. 13. Microsoft releases fixes for Windows, Office, Internet Explorer and other products on the second Tuesday of each month.
December's release reflects a continuing trend of more critical patches for older software than newer products. All three fixes affect Windows XP, Windows Vista and Windows Server 2003, while only one affects Windows 7 and Windows Server 2008.
The remaining patches, including the one for the Duqu Trojan, are rated "important," a step down from critical. Five of these patches affect Office 2003, 2007 and 2010, including the Mac versions; one is for Internet Explorer 6 through 9 and the remaining apply to all versions of Windows.
Microsoft has shown improvement in security through the number of critical patches. In 2006, seven out of 10 security patches were critical. This year, 30 percent of the patches carried the vendor's highest rating, Paul Henry, forensic analyst for security vendor Lumension Security, said in an e-mailed statement. "In an otherwise volatile threat landscape, this is good news for everyone."
Another positive note is a finished patch for the zero-day vulnerability exploited by the Duqu Trojan. Microsoft released a temporary fix for the Windows flaw in November.
Duqu, discovered in October, is capable of gathering information from infected systems and sending the data to a remote command-and-control server. The malware has many similarities to Stuxnet, which is believed to have damaged control systems in Iran's nuclear facility last year.
Duqu, which does not have Stuxnet-like destructive capabilities, was found in the systems of industrial suppliers in at least eight countries. The malware was not found in the U.S.