December 2009 Security Bulletin Release

Summary of Microsoft’s Security Bulletin Release for December 2009

As noted in our Advance Notification (ANS) last Thursday, for the December bulletin release we issued six security bulletins addressing 12 vulnerabilities. Affected products include Windows, Internet Explorer (IE) and Microsoft Office products.

In the ANS, we also noted that the bulletin for IE (MS09-072) is at the top of our deployment priority list this month. As you can see from our Severity and Exploitability Index slide (also referred to as the Risk and Impact slide), MS09-072 is the only bulletin this month that has both a Critical severity rating and our maximum Exploitability Index rating of 1. Of note, each of the five vulnerabilities addressed in this bulletin are Critical and each also have an Exploitability Index rating of 1. One of the vulnerabilities was the subject of Security Advisory 977981 due to public disclosure and affects IE 6 and IE 7 so customers running those versions should install this update as soon as possible.

The update for Active Directory Federation Services, MS09-070, is lower on the deployment list even though it has an Exploitability Index of 1. This is because an attacker would have to have valid logon credentials for the affected server in order to carry out an attack which gives this a severity rating of Important. The second critical vulnerability affecting Windows, MS09-071, is also lower in our deployment priority as indicated in the slide below. This is mainly due to an Exploitability Index rating of 2 which means that we do not expect to see reliable exploit code for the critical vulnerability within the first 30 days from bulletin release.

To follow up on something I mentioned in the ANS blog post, here is the promised table that maps the bulletin ID’s to the numbered bulletins from the ANS document that customers have asked us for:

Bulletin ID

Maps to bulletin number in the ANS


Bulletin 5


Bulletin 6


Bulletin 1


Bulletin 4


Bulletin 2


Bulletin 3

This month we also released two new advisories. The first one, 954157, concerns a Defense in Depth (DiD) update for the Indeo Codec. This update will go out through the Automatic Update system and applies to Windows XP and Windows Server 2003. The update blocks the codec from being used in IE and Windows Media Player in the Internet Zone and offers similar attack surface reduction as that built in to Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. For those not running any applications that use the Indeo Codec, you can unregister it to reduce overall attack surface which we recommend as a best practice, and have the exact same attack surface reduction as on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2

The other advisory, 974926, is the summary advisory for the work we have done around Extended Protection for Authentication. My colleague, MSRC program manager Maarten Van Horenbeeck, has written an extensive post on this subject on our Security Research & Defense blog.

Finally, we re-released MS08-037 for Windows 2000 SP4 systems. This is an Important class update that could result in spoofing. All Windows 2000 SP4 users should re-install the update to be fully protected from this issue.

As we do every month, Adrian Stone and I provide a quick overview of today’s updates in the video below.

Get Microsoft Silverlight More listening and viewing options:

We also encourage all customers to join us tomorrow for our live webcast where we will go in to details on all of these bulletins and answer your questions while on the air. Registration information:

Date: Wednesday Dec. 9
Time: 11:00 a.m. PST (UTC -8)
Registration and event link:

Thank you!

Jerry Bryant

Additional Blog Resources:

*This posting is provided "AS IS" with no warranties, and confers no rights*