Holy Moly! I just took a quick look at the Microsoft Security Bulletin Advance Notification for December 2010 (this is a temporary placeholder for the actual security bulletin, which will be released at the same time Microsoft posts its updates to the Windows Update Service, so the final bulletin may be in place by the time you read this). There are 17 security updates in the queue for this month, which is certainly the highest number I’ve seen. In fact, according to Mark Reavey of the Microsoft Security Response Center (MSRC) this is the highest number of updates ever released on a Patch Tuesday. See his MSRC blog “December 2010 Advance Notification Service is released” (12/9/2010) for some interesting information about total bulletin counts, vulnerabiliites covered, and information security trends.
Among the most interesting tidbits from this blog is the declaration that Microsoft “…will be closing the last Stuxnet-related issues this month. This is a local Elevation of Privilege vulnerability and we’ve seen no evidence of its use in active exploits aside from the Stuxnet malware.” Likewise, an older (reported in November 2010 in MS Security Advisory 2458511) Remote Code Execution vulnerability in Internet Explorer that affects versions 6, 7, and 8 will also be addressed in the December security updates. Finally, Reavey also points to an interesting article from Microsoft Security Research & Defense entitled “On the effectiveness of DEP and ASLR” (DEP is Data Execution Prevention, and ASLR is Address Space Layout Randomization, two techniques Microsoft uses to good effect to limit the impact of exploit attempts, especially those that seek to leverage buffer overflow weaknesses).
It will be interesting to read more details about this month’s security updates when Microsoft posts them to its update servers at about 11 AM Pacific time today (-08:00 UCT). I’ll post further on what’s in the mix in a follow-up blog tomorrow.