"Proof-of-concept exploit code was released for the object memory corruption vulnerability late last month, but it wasn't reliable," said Ben Greenbaum, senior research manager for Symantec Security Response. "It's been a race since between Microsoft and attackers to either get a patch out or improve the exploit's reliability. As it turns out, Symantec has yet to see either the exploit's consistency increased significantly nor any successful attacks using it in the wild."

Microsoft Under Scrutiny

Any improvement in browsing security is a nice holiday gift to consumers surfing through their inboxes every morning for the best holiday shopping deals, said Andrew Storms, director of security operations for nCircle. However, he added, Microsoft's secure-code development practices are going to come under scrutiny again because the IE update includes fixes for two previously nonpublic exploits that only affect IE8, the newest browser from Microsoft.

"There's no way for Microsoft to avoid the speculation that these bugs should have been found during the software development and quality assurance cycle, but the reality is that this was bound to happen," Storms said. "Every product has bugs, and more features means greater attack surfaces. It is depressing for both Microsoft and its customers, though, that it happened so quickly."

Beyond the IE Flaws

Beyond IE, December's Patch Tuesday list is really a mashup of random fixes, said Tyler Reguly, senior security engineer at nCircle. There's a lot of letters with LSASS, ADFS and IAS and a smattering of client-side vulnerabilities, but in the grand scheme of things, he said, there's nothing extremely dangerous once you get past IE.

"Given some of the configurations that are affected, it's definitely worth taking the time to test these patches in your lab before deploying them. IE is, of course, the exception to that recommendation," Reguly said.

"The non-security update for Integrated Windows Authentication on IIS and other web-based systems is rather interesting. This was not fixed via a security bulletin, but it's great to see it shipping nonetheless," he added. "Essentially, this fix provides a method to protect web clients from credential-forwarding attacks, which will only help to improve intranet security."

Shoring Up Against Malware Threats

Although there are several critical patches that need to be addressed this month, the big so-what for Microsoft patches centers around the ubiquitous MS09-072 affecting all versions of Internet Explorer and carrying Microsoft's highest exploitability rating, said Paul Zimski, vice president of market strategy for Lumension.

"This, combined with subsequent updates issued in Apple's Java for OS X, Adobe's Flash Player, and AIR, make this month particularly important to shore up patches and protect against web-borne malware threats," Zimski said.

"Bulletin MS09-071 is also rated critical for Windows Server 2008 and requires a restart. Since Windows Server 2008 is most likely deployed in support of mission-critical applications, this update could be disruptive to business operations. Microsoft's exploitability scale for this bulletin is less severe, but organizations should address this expeditiously."