Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microsoft Patch Tuesday - December 2011

"From Redmond with Love"

Recently, I had a chance to talk with Katie Moussouris, leader of the Security Community Outreach and Strategy team at Microsoft. The interview helped me realize that Microsoft has a lot to offer when it comes to not just fixing vulnerabilities in their own products, but other companies' software as well:

  • Microsoft has a team of people on the MSVR (Microsoft Vulnerability Research) who look for vulnerabilities in third-party software and help the third-parties fix the issues.
  • MSVR practices Coordinated Vulnerability Disclosure, a term coined by the team and encompasses a philosophy for vulnerability disclosure (and one that omits the word "responsible" due to its misconstrued meanings).
  • Microsoft is showing others how to create more secure software through their SDL program (I hope Adobe is adopting this, and if they have, their implementation is falling short).
  • Microsoft has attempted to tell us where they document security vulnerabilities found internally, but this article seems to talk about variants, which are an off-shoot of the publicly disclosed vulnerabilities, not new vulnerabilities discovered internally by Microsoft. However, I am told that Microsoft does in fact document internally discovered vulnerabilities, but it's not as widely publicized as the monthly bulletins.
  • If you have the skills to come up with the next latest and greatest memory protection design, Microsoft could give you as much as $200,000 as part of the Blue Hat Prize contest.

One thing is for sure, I don't believe that Microsoft isn't trying to create more secure software. In fact, this month's MSRC post shows that critical vulnerabilities reported by outside parties continue to be on the decline. Some may argue that it's because people are not disclosing the vulnerabilities to Microsoft, and while that could be true, they deserve some of the credit for making efforts to improve software security.

Of course, there are more gifts from Microsoft this month in the form of 13 new security bulletins. To help evaluate the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:


Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.