Microsoft is planning seven fixes for January's Patch Tuesday release that will address bugs in all versions of Windows and possibly for the SSL/BEAST flaw.
Microsoft
plans to ship seven patches closing security holes in the Windows operating
system and Microsoft developer tools and software in its first Patch Tuesday
release of 2012.
The company
fixed vulnerabilities in all versions of the Windows operating system,
including Windows 7 and Windows Server 2008 R2, according to
Microsoft's advance notification announcement
released Jan. 5. Only one of the seven bulletins is rated "critical,"
and the remaining ones are rated "important." The critical bulletin,
which fixes a remote code execution issue in Media Player, can be downgraded to
"important" for Windows 7 and Windows 2008 R2 users, according to the
advisory.
Microsoft is
expected to release the updates for January's Patch Tuesday on Jan. 10.
Six of the
bulletins fixed holes in various versions of Windows, and only one would cover
Microsoft Developer Tools. "Windows 7 and 2008 R2 have less exposure"
as two of the bulletins don't apply to them at all, according to Wolfgang
Kandek, CTO of Qualys.
The noncritical
bulletins handle the Secure Sockets Layer (SSL) vulnerability affecting Web
servers that could be exploited by the BEAST tool and various information
disclosure and escalation of privilege issues, according to Paul Henry,
security and forensic analyst at Lumension. Microsoft also will update its
Structured Exception Handling Overwrite Protection technology, a defense-in-depth
capability that makes it harder for attackers to successfully exploit legacy
applications, according to Henry.
The BEAST/SSL
patch was supposed to have been included in
December's Patch Tuesday release but had been
pulled at the last minute due to some testing problems involving a third-party
vendor, according to Microsoft. Henry noted that despite all the hype after the
BEAST attack tool was released over the summer, attacks exploiting the SSL flaw
"simply never materialized."
One of the
bulletins rated as important will fix an issue described as a "security
feature bypass," a label Microsoft has not used previously. An SFB-class
issue can't be directly exploited by an attacker but would be used to exploit
another vulnerability, Angela Gunn, security response communications manager
for Microsoft's Trustworthy Computing Group, wrote on the
Microsoft Security Response Center blog. A
more detailed analysis would be available when the patches go live, according
to Gunn.
"It will
be interesting to see, which exact Windows features are involved and how this
vulnerability can be used by attackers," Kandek said.
A SFB-class
flaw may cover cases where users turn off a Windows security safeguard,
speculated Andrew Storms, director of security operations for nCircle.
"It's not exactly a software bug, but it's a condition that could allow
attackers much more room to maneuver," Storms told
eWEEK.
Microsoft issued an out-of-band security update
on Dec. 29 to close four serious vulnerabilities in the .NET framework. One of
the vulnerabilities could be exploited to launch hash collision attacks on Web
applications built on ASP.NET and trigger a denial of service. The .NET patch
had originally been scheduled for the January release, but the company moved up
the date in order to issue the ASP.NET fix as an emergency patch.
The
DoS zero-day exists in other Web application frameworks
as well. But Microsoft and Apache appear to be the only ones who have
addressed the issue to date.
Email
Print
