Admins braced for hefty Christmas Patch Tuesday from Microsoft

Security administrators are in for a busy holiday season after Microsoft confirmed that the December Patch Tuesday release will include 14 bulletins covering 20 vulnerabilities in a range of products.

Microsoft said in the Security Bulletin Advance Notification for December 2011 that three of the 14 bulletins are rated 'critical', the highest severity rating, and could allow remote code execution on infected XP, Vista and Windows 7 systems.

Bulletins 1 and 2 also affect Windows Server 2003, while Windows Server 2008 is affected only by the first critical bulletin.

The remaining 11 bulletins are rated 'important' and cover remote code execution and elevation of privilege flaws.

"Five of the 'important' bulletins affect Office 2003, 2007 and 2010 including all Office versions for Macintosh as well," explained Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys.

"One of the remaining bulletins addresses Internet Explorer 6 through 9, and the remaining bulletins apply to all versions of Windows."

Although not specifically referred to in the security bulletin, it is also believed that Microsoft will patch the flaw in TrueType font parsing which was exploited by the Duqu Trojan.

System administrators are likely to be kept doubly busy as Adobe is set to release an update for Reader and Acrobat 9.x for Windows this week to address a critical vulnerability which could cause a system crash and allow attackers to take control of an affected system.

The flaw is actively being exploited in the wild via malicious PDF email attachments, according to security researchers.