December 2009 Bulletin Release Advance Notification

Advance Notification for the December 2009 Security Bulletin Release

For December we are planning to release six new security bulletins addressing 12 vulnerabilities in Windows, Internet Explorer (IE) and Microsoft Office products. Three of the bulletins have a maximum severity rating of Critical and three have a maximum severity rating of Important. To help customers plan for their deployment of these updates, I want to specifically call out that they touch all supported versions of Windows and IE. On the Office side, the bulletins impact Project, Word and Works 8.5. All of the updates for Windows will require a restart so please plan accordingly.

We want to make customers aware that we will be addressing the vulnerability discussed in Security Advisory 977981 in the IE bulletin on Tuesday. We know that customers are concerned about this issue and we are also aware that Proof of Concept (PoC) code is available publicly.

Here is a preview of the guidance we will be releasing with the bulletins on Tuesday: The IE update maps to bulletin number 4 in the ANS and will be at the top of our deployment priority list. The other critical update affecting Windows (bulletin number 1) will have a lower Exploitability Index rating, so while the impact is higher with a critical severity rating, the lower risk will drop the deployment priority down a little. The final critical update affecting Microsoft Project (bulletin number 3), is only critical for Project 2000. The other affected versions are important. That coupled with a lower Exploitability Index will also drive it down on the deployment priority list. Customers have asked us to map the numbered bulletins in the ANS to the final bulletin ID’s after release so we will be doing that in the blog post here on Tuesday.

We are targeting the release of these bulletins for next Tuesday Dec. 8 at 10:00 a.m. PST (UTC -8). We will post more guidance at that time both here on the MSRC blog and on the Security Research & Defense (SRD) blog. Our guidance will include risk and impact information, our deployment priority list and deeper technical information on the bulletins form the SRD team. Until then, please review the ANS page here.

Also next Wednesday please join Adrian Stone and myself as we host a live webcast where we go in to detail on each bulletin and answer all of your questions live with the help of a room full of subject matter experts on these updates. Here is the event information:

Date: Wednesday Dec. 9
Time: 11:00 a.m. PST (UTC -8)
Registration and event link:

I hope you can join us then!

Jerry Bryant

*This posting is provided “AS IS” with no warranties, and confers no rights*