December 2010 Advance Notification Service is released

Hi everyone. Mike Reavey from the MSRC here. Today we’re releasing
our Advance
Notification Service
for the December 2010 security bulletin
release. As we do every month, we’ve given information about the coming
December release and provided links to detailed information so you can plan
your deployment by product, service pack level, and severity.  However, since this is the last release for
the year, I thought it would also be good time to take a look back at the security
releases we’ve had over the last 12 months.

First, for December we’re releasing 17 updates addressing 40
vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and
Exchange. Of the 17, two bulletins are rated Critical, 14 are rated Important,
and one is rated Moderate. As always, we recommend that customers
review the ANS summary page
for more information and prepare for the testing and deployment of these
bulletins as soon as possible.

Looking back over 2010, that brings the total bulletin count
to 106, which is more bulletins than we have released in previous years. This
is partly due to vulnerability reports in Microsoft products increasing
slightly, as indicated by our latest Security
Intelligence Report
. This isn’t really surprising when you think about
product life cycles and the nature of vulnerability research. Microsoft
supports products for up to ten years. (One of our most popular operating
systems from the turn of the century, XP SP2, reached its end-of-support life
in mid-2010, in fact.) Vulnerability research methodologies, on the other hand,
change and improve constantly. Older products meeting newer attack methods,
coupled with overall growth in the vulnerability marketplace, result in more
vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to
us cooperatively continues to remain high at around 80 percent; in other words,
for most vulnerabilities we’re able to release a comprehensive security update
before the issue is broadly known.

At the end of the day, Microsoft’s primary focus is to
release reliable, high-quality updates to our customers.  Feedback from customers indicate that this is
the most important factor in minimizing disruption and allowing them to deploy
our updates quickly – even more important than the overall number of security

Back to this month’s bulletins. We’re addressing two
issues this month that have attracted interest recently. First, we will be closing
the last Stuxnet-related issues this month. This is a local Elevation of
Privilege vulnerability and we’ve seen no evidence of its use in active
exploits aside from the Stuxnet malware. We’re also addressing
the Internet Explorer vulnerability described in Security
Advisory 2458511
. Over the past month, Microsoft and our MAPP
partners actively monitored the threat landscape surrounding this vulnerability
and the total number of exploit attempts we monitored remained pretty low.
Furthermore, customers running Internet Explorer 8 remained protected by
default due to the extra protection provided by Data Execution Prevention
(DEP). On that note, I want to point you to a new post on the Security Research
& Defense team blog describing the
effectiveness of DEP and ASLR
against the types of exploits we see in the
wild today.  

We encourage customers to review this month’s bulletins and
to prioritize their installation according to the needs of their
environment.  (And, of course, for most
home users these updates will be installed automatically.)  If you have questions, join us next Wednesday
(December 15) when Jonathan Ness and Jerry Bryant will host a live webcast
covering the December bulletins. They’ll go into detail about the release and
answer your bulletin-related questions live on the air. Register at the link

Date: Wednesday, December 15
Time: 11:00 a.m. PST (UTC -8)
Registration: 1032454441


Mike Reavey
Director, MSRC