Microsoft Says Security Improves In 2011

Tuesday's release included 13 fixes, one less than Microsoft had promised in last week's preview. Among the baker's dozen were three critical patches and 10 fixes rated important. Six of the vulnerabilities were in Windows, one in Internet Explorer, five in Office and one in Windows Media Player.

The fix that got the most attention was the one for the Duqu exploit, which Microsoft rated as "important," a step down from critical. Microsoft gave the high-profile vulnerability a lower rating because of the difficulty in exploiting the flaw in the TrueType font parsing engine in Windows.

Duqu attracted a lot of media attention because of its similarities to the Stuxnet malware that is believed to have damaged control systems in Iran's nuclear facility last year. Discovered in October, Duqu does not have Stuxnet-like destructive capabilities. Instead, the Trojan is built to look for electronic documents in the systems of industrial suppliers and report back to hackers' command-and-control servers. The malware was found in at least eight countries, but not in the U.S.

The latest collection of patches brought the total number of 2011 fixes to 99, with less than a third rated critical, Microsoft said. That was the lowest number since 2005. In 2006, seven in 10 patches were critical, according to vendor Lumension Security.

Sponsored post

Microsoft published all its patches this year during its regular release on the second Tuesday of each month. No emergency releases were made outside of the cycle. Duqu did prompt Microsoft to release a temporary plug early last month.

One patch that didn't make it in the December release was for the so-called SSL BEAST vulnerability. A researcher at the Ekoparty security conference in September demonstrated how a hacker could exploit the flaw to crack the secure sockets layer (SSL) in Windows. SSL is a protocol used to send encrypted documents over the Internet. Microsoft said more work is needed to fix the vulnerability. There have been no reports of malware targeting the flaw.