Microsoft is playing Scrooge this year for any IT admins who were hoping to relax and ride out the rest of the year. There are 14 security bulletins planned for next week’s Patch Tuesday—one that happens to fall unusually late in the month thanks to December starting on a Thursday, and leaves IT admins with little time to patch before the holidays.
The good news, if you can call it good news, is that only three of the 14 security bulletins are rated as Critical. The bad news is that all of the remaining 11 are still rated as Important, and some of the vulnerabilities addressed in the Important security bulletins could be very attractive to would-be attackers.
Another spark of good news is that it appears that Microsoft will issue a patch for the vulnerability exploited by the Duqu worm. While the information in the security bulletin advance notification from Microsoft is intentionally vague, Rapid7 security researcher Marcus Carey points out that Bulletin 1 seems to address the same flaw being exploited, and that it requires a reboot–indicating that it is likely a kernel level patch.
Microsoft isn’t the only one closing 2011 with a bang, though. Qualys CTO Wolfgang Kandek notes in a blog post that Adobe plans to issue an out-of-band patch for Adobe Reader and Acrobat 9 to address a zero day flaw that is currently being exploited in the wild.
Paul Henry, a security and forensic analyst with Lumension, adds Java to the list of emerging attack targets. Henry points out that third-party tools like Adobe Reader and Java don’t usually get the same level of attention, and make easier targets in many cases.
Throw a Yule log on the fire, make yourself a pot of coffee, and get ready to roll next Tuesday. You’ll have a lot of work to do to get everything patched and protected so you can enjoy a peaceful holiday break, and come back ready to take on 2012.