Microsoft plans to ship seven patches closing security holes in the Windows operating system and Microsoft developer tools and software in its first Patch Tuesday release of 2012.
The company fixed vulnerabilities in all versions of the Windows operating system, including Windows 7 and Windows Server 2008 R2, according to Microsoft’s advance notification announcement released Jan. 5. Only one of the seven bulletins is rated “critical,” and the remaining ones are rated “important.” The critical bulletin, which fixes a remote code execution issue in Media Player, can be downgraded to “important” for Windows 7 and Windows 2008 R2 users, according to the advisory.
Microsoft is expected to release the updates for January’s Patch Tuesday on Jan. 10.
Six of the bulletins fixed holes in various versions of Windows, and only one would cover Microsoft Developer Tools. “Windows 7 and 2008 R2 have less exposure” as two of the bulletins don’t apply to them at all, according to Wolfgang Kandek, CTO of Qualys.
The noncritical bulletins handle the Secure Sockets Layer (SSL) vulnerability affecting Web servers that could be exploited by the BEAST tool and various information disclosure and escalation of privilege issues, according to Paul Henry, security and forensic analyst at Lumension. Microsoft also will update its Structured Exception Handling Overwrite Protection technology, a defense-in-depth capability that makes it harder for attackers to successfully exploit legacy applications, according to Henry.
The BEAST/SSL patch was supposed to have been included in December’s Patch Tuesday release but had been pulled at the last minute due to some testing problems involving a third-party vendor, according to Microsoft. Henry noted that despite all the hype after the BEAST attack tool was released over the summer, attacks exploiting the SSL flaw “simply never materialized.”
One of the bulletins rated as important will fix an issue described as a “security feature bypass,” a label Microsoft has not used previously. An SFB-class issue can’t be directly exploited by an attacker but would be used to exploit another vulnerability, Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, wrote on the Microsoft Security Response Center blog. A more detailed analysis would be available when the patches go live, according to Gunn.
“It will be interesting to see, which exact Windows features are involved and how this vulnerability can be used by attackers,” Kandek said.
A SFB-class flaw may cover cases where users turn off a Windows security safeguard, speculated Andrew Storms, director of security operations for nCircle. “It’s not exactly a software bug, but it’s a condition that could allow attackers much more room to maneuver,” Storms told eWEEK.
Microsoft issued an out-of-band security update on Dec. 29 to close four serious vulnerabilities in the .NET framework. One of the vulnerabilities could be exploited to launch hash collision attacks on Web applications built on ASP.NET and trigger a denial of service. The .NET patch had originally been scheduled for the January release, but the company moved up the date in order to issue the ASP.NET fix as an emergency patch.
The DoS zero-day exists in other Web application frameworks as well. But Microsoft and Apache appear to be the only ones who have addressed the issue to date.