Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking

    Microsoft Plans 7 Fixes for January Patch Tuesday

    By
    Fahmida Y. Rashid
    -
    January 5, 2012
    Share
    Facebook
    Twitter
    Linkedin

      Microsoft plans to ship seven patches closing security holes in the Windows operating system and Microsoft developer tools and software in its first Patch Tuesday release of 2012.

      The company fixed vulnerabilities in all versions of the Windows operating system, including Windows 7 and Windows Server 2008 R2, according to Microsoft’s advance notification announcement released Jan. 5. Only one of the seven bulletins is rated “critical,” and the remaining ones are rated “important.” The critical bulletin, which fixes a remote code execution issue in Media Player, can be downgraded to “important” for Windows 7 and Windows 2008 R2 users, according to the advisory.

      Microsoft is expected to release the updates for January’s Patch Tuesday on Jan. 10.

      Six of the bulletins fixed holes in various versions of Windows, and only one would cover Microsoft Developer Tools. “Windows 7 and 2008 R2 have less exposure” as two of the bulletins don’t apply to them at all, according to Wolfgang Kandek, CTO of Qualys.

      The noncritical bulletins handle the Secure Sockets Layer (SSL) vulnerability affecting Web servers that could be exploited by the BEAST tool and various information disclosure and escalation of privilege issues, according to Paul Henry, security and forensic analyst at Lumension. Microsoft also will update its Structured Exception Handling Overwrite Protection technology, a defense-in-depth capability that makes it harder for attackers to successfully exploit legacy applications, according to Henry.

      The BEAST/SSL patch was supposed to have been included in December’s Patch Tuesday release but had been pulled at the last minute due to some testing problems involving a third-party vendor, according to Microsoft. Henry noted that despite all the hype after the BEAST attack tool was released over the summer, attacks exploiting the SSL flaw “simply never materialized.”

      One of the bulletins rated as important will fix an issue described as a “security feature bypass,” a label Microsoft has not used previously. An SFB-class issue can’t be directly exploited by an attacker but would be used to exploit another vulnerability, Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, wrote on the Microsoft Security Response Center blog. A more detailed analysis would be available when the patches go live, according to Gunn.

      “It will be interesting to see, which exact Windows features are involved and how this vulnerability can be used by attackers,” Kandek said.

      A SFB-class flaw may cover cases where users turn off a Windows security safeguard, speculated Andrew Storms, director of security operations for nCircle. “It’s not exactly a software bug, but it’s a condition that could allow attackers much more room to maneuver,” Storms told eWEEK.

      Microsoft issued an out-of-band security update on Dec. 29 to close four serious vulnerabilities in the .NET framework. One of the vulnerabilities could be exploited to launch hash collision attacks on Web applications built on ASP.NET and trigger a denial of service. The .NET patch had originally been scheduled for the January release, but the company moved up the date in order to issue the ASP.NET fix as an emergency patch.

      The DoS zero-day exists in other Web application frameworks as well. But Microsoft and Apache appear to be the only ones who have addressed the issue to date.

      Fahmida Y. Rashid
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×