Microsoft fixed issues in Windows Media Player, the Windows kernel and developer tools. It finally released a fix to defend against the BEAST attack tool.
fixed eight vulnerabilities in the Windows kernel, Windows Media Player and
developer tools as part of January's Patch Tuesday update.
Of the seven bulletins,
only one was rated "critical," according to Microsoft's security bulletin summary
Jan. 10. The remaining bulletins were rated "important." There was a
reduction in the number of patches rated critical in 2011, according to Paul
Henry, security and forensic analyst at Lumension. Microsoft is expected to
bolster its "defense-in-depth" efforts, and more patches will be
rated important, Henry said.
January has a been a light month for Microsoft patches and, so far, this
year is no different," said Andrew Storms, director of security operations
bulletin addressing two vulnerabilities in Windows Media Player for Windows
Vista and XP (MS12-004) should be the highest priority, according to Storms.
One of the bugs was a critical remote code execution flaw that could be
exploited via a drive-by attack, according to Storms.
vulnerabilities are relatively easy to trigger with a specially crafted media
input file, according to Wolfgang Kandek, CTO of Qualys. Attacks can be
launched from an email attachment or from a file hosted on a Website, he said.
continue exploiting client applications, such as media players and browsers,
according to Marcus Carey, a security researcher at Rapid7. Media players are
frequently the target of non-stop fuzzing, or the "process of throwing the
kitchen sink at an application to find where it breaks," Carey said.
Media Player flaws provide "yet another reason" to upgrade to Windows
7, since those users would not be affected by the drive-by exploit, according
As the media player
vulnerability is a memory-corruption issue, it would be a bit difficult to
exploit, according to Joshua Talbot, security intelligence manager of Symantec
Security Response. Even though Microsoft rated it as "important,"
Talbot said he considered the flaw with the .NET packager (MS12-005) as the
"most severe issue." To exploit the vulnerability, the attacker has
to convince the user to open the maliciously crafted Office document, according
attachments will likely be the most common attack method in which this flaw is
exploited, according to Talbot. Attackers would be able to run malware as soon
as the user opens the compromised Word or PowerPoint file, he said.
There was also
a new security classification, "Security Feature Bypass
," in this month's
release. This classification covers vulnerabilities that are not directly
accessible, but could be used to facilitate an attack using a different
vulnerability, according to Henry. Examples include turning off user access control,
data execution prevention or address space layout randomization before running
of Microsoft's Visual C compiler (2003 RTM) implemented the SAFESEH security
measure in such a way that Windows XP, 2003, Vista, Windows 7 and Windows
Server 2008 could not read the information and defaulted to running the binary
without the security protection, Matt Miller, a security engineer on the
security science team within Microsoft's Security Engineering Center, wrote on
the Security Research and Defense
compiled with the later versions of Visual-C were generated correctly. This
patch (MS12-001) updates all versions of the Windows operating system to be
able to read the older files.
no direct vulnerability here, but an attacker would have to identify software
compiled with the old version of Visual-C, find the vulnerability in it and
code an exploit that would use the SEH exploit mechanism," Kandek said.
The fix against BEAST attacks
(MS12-006) should be
deployed on all Web servers, Kandek said. A cryptographic attack against the
secure socket layer that allows attackers to decode and eavesdrop on HTTPS
traffic, BEAST was demonstrated at the Ekoparty conference in Buenos Aires in
administrators have not yet deployed the out-of-band patch that was released in
late December to fix an ASP.NET vulnerability
that could enable a
denial-of-service attack, they should do so soon. A user named HybrisDisaster
has released a proof-of-concept exploit code for the vulnerability on the Full
Disclosure mailing list. Available for download from code repository site
GitHub, the proof of concept exploits the way ASP.NET handles certain HTTP post
disclosed in late December at the Chaos Communications Congress in Germany, the
problem affects a variety of languages and applications other than ASP.NET. Microsoft shipped the emergency patch
on Dec. 29
and recommended that users install it as quickly as possible.