Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking

    Microsoft Plans 7 Fixes for January Patch Tuesday

    By
    Fahmida Y. Rashid
    -
    January 5, 2012
    Share
    Facebook
    Twitter
    Linkedin

      Microsoft plans to ship seven patches closing security holes in the Windows operating system and Microsoft developer tools and software in its first Patch Tuesday release of 2012.

      The company fixed vulnerabilities in all versions of the Windows operating system, including Windows 7 and Windows Server 2008 R2, according to Microsoft’s advance notification announcement released Jan. 5. Only one of the seven bulletins is rated “critical,” and the remaining ones are rated “important.” The critical bulletin, which fixes a remote code execution issue in Media Player, can be downgraded to “important” for Windows 7 and Windows 2008 R2 users, according to the advisory.

      Microsoft is expected to release the updates for January’s Patch Tuesday on Jan. 10.

      Six of the bulletins fixed holes in various versions of Windows, and only one would cover Microsoft Developer Tools. “Windows 7 and 2008 R2 have less exposure” as two of the bulletins don’t apply to them at all, according to Wolfgang Kandek, CTO of Qualys.

      The noncritical bulletins handle the Secure Sockets Layer (SSL) vulnerability affecting Web servers that could be exploited by the BEAST tool and various information disclosure and escalation of privilege issues, according to Paul Henry, security and forensic analyst at Lumension. Microsoft also will update its Structured Exception Handling Overwrite Protection technology, a defense-in-depth capability that makes it harder for attackers to successfully exploit legacy applications, according to Henry.

      The BEAST/SSL patch was supposed to have been included in December’s Patch Tuesday release but had been pulled at the last minute due to some testing problems involving a third-party vendor, according to Microsoft. Henry noted that despite all the hype after the BEAST attack tool was released over the summer, attacks exploiting the SSL flaw “simply never materialized.”

      One of the bulletins rated as important will fix an issue described as a “security feature bypass,” a label Microsoft has not used previously. An SFB-class issue can’t be directly exploited by an attacker but would be used to exploit another vulnerability, Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, wrote on the Microsoft Security Response Center blog. A more detailed analysis would be available when the patches go live, according to Gunn.

      “It will be interesting to see, which exact Windows features are involved and how this vulnerability can be used by attackers,” Kandek said.

      A SFB-class flaw may cover cases where users turn off a Windows security safeguard, speculated Andrew Storms, director of security operations for nCircle. “It’s not exactly a software bug, but it’s a condition that could allow attackers much more room to maneuver,” Storms told eWEEK.

      Microsoft issued an out-of-band security update on Dec. 29 to close four serious vulnerabilities in the .NET framework. One of the vulnerabilities could be exploited to launch hash collision attacks on Web applications built on ASP.NET and trigger a denial of service. The .NET patch had originally been scheduled for the January release, but the company moved up the date in order to issue the ASP.NET fix as an emergency patch.

      The DoS zero-day exists in other Web application frameworks as well. But Microsoft and Apache appear to be the only ones who have addressed the issue to date.

      Avatar
      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×