Microsoft Fixed Eight Bugs in Seven Patches in January's Patch Tuesday

Microsoft fixed eight vulnerabilities in the Windows kernel, Windows Media Player and developer tools as part of January's Patch Tuesday update.

Of the seven bulletins, only one was rated "critical," according to Microsoft's security bulletin summary released Jan. 10. The remaining bulletins were rated "important." There was a reduction in the number of patches rated critical in 2011, according to Paul Henry, security and forensic analyst at Lumension. Microsoft is expected to bolster its "defense-in-depth" efforts, and more patches will be rated important, Henry said.

"Historically, January has a been a light month for Microsoft patches and, so far, this year is no different," said Andrew Storms, director of security operations at nCircle.

The critical bulletin addressing two vulnerabilities in Windows Media Player for Windows Vista and XP (MS12-004) should be the highest priority, according to Storms. One of the bugs was a critical remote code execution flaw that could be exploited via a drive-by attack, according to Storms.

Both vulnerabilities are relatively easy to trigger with a specially crafted media input file, according to Wolfgang Kandek, CTO of Qualys. Attacks can be launched from an email attachment or from a file hosted on a Website, he said.

Attackers will continue exploiting client applications, such as media players and browsers, according to Marcus Carey, a security researcher at Rapid7. Media players are frequently the target of non-stop fuzzing, or the "process of throwing the kitchen sink at an application to find where it breaks," Carey said.

The Windows Media Player flaws provide "yet another reason" to upgrade to Windows 7, since those users would not be affected by the drive-by exploit, according to Storms.

As the media player vulnerability is a memory-corruption issue, it would be a bit difficult to exploit, according to Joshua Talbot, security intelligence manager of Symantec Security Response. Even though Microsoft rated it as "important," Talbot said he considered the flaw with the .NET packager (MS12-005) as the "most severe issue." To exploit the vulnerability, the attacker has to convince the user to open the maliciously crafted Office document, according to Microsoft.

Email attachments will likely be the most common attack method in which this flaw is exploited, according to Talbot. Attackers would be able to run malware as soon as the user opens the compromised Word or PowerPoint file, he said.

There was also a new security classification, "Security Feature Bypass," in this month's release. This classification covers vulnerabilities that are not directly accessible, but could be used to facilitate an attack using a different vulnerability, according to Henry. Examples include turning off user access control, data execution prevention or address space layout randomization before running another exploit.

Older versions of Microsoft's Visual C compiler (2003 RTM) implemented the SAFESEH security measure in such a way that Windows XP, 2003, Vista, Windows 7 and Windows Server 2008 could not read the information and defaulted to running the binary without the security protection, Matt Miller, a security engineer on the security science team within Microsoft's Security Engineering Center, wrote on the Security Research and Defense blog. Binaries compiled with the later versions of Visual-C were generated correctly. This patch (MS12-001) updates all versions of the Windows operating system to be able to read the older files.

"There is no direct vulnerability here, but an attacker would have to identify software compiled with the old version of Visual-C, find the vulnerability in it and code an exploit that would use the SEH exploit mechanism," Kandek said.

The fix against BEAST attacks (MS12-006) should be deployed on all Web servers, Kandek said. A cryptographic attack against the secure socket layer that allows attackers to decode and eavesdrop on HTTPS traffic, BEAST was demonstrated at the Ekoparty conference in Buenos Aires in September.

If administrators have not yet deployed the out-of-band patch that was released in late December to fix an ASP.NET vulnerability that could enable a denial-of-service attack, they should do so soon. A user named HybrisDisaster has released a proof-of-concept exploit code for the vulnerability on the Full Disclosure mailing list. Available for download from code repository site GitHub, the proof of concept exploits the way ASP.NET handles certain HTTP post requests.

First disclosed in late December at the Chaos Communications Congress in Germany, the problem affects a variety of languages and applications other than ASP.NET. Microsoft shipped the emergency patch on Dec. 29 and recommended that users install it as quickly as possible.