7 Fixes in January's Security Update
As expected, Microsoft released seven security bulletins in its first Patch Tuesday of the year. Only one fix got the "critical" lable, with the remaining described as "important."
The critical fix, bulletin MS12-004, addresses two privately reported issues in Windows Media Player that could allow an intruder to carry out a remote code execution attack if a specially designed media file were to be downloaded and opened.
Media players represent easy targets for attackers, according to Marcus Carey, a security researcher at Rapid7.
"This [bulletin] should serve as a reminder that we should expect researchers and attackers to continue to exploit client applications such as media players and browsers," said Carey. "In fact, media players are the target of non-stop fuzzing: the process of throwing the kitchen sink at an application to find where it breaks."
Microsoft's first important item of the month, bulletin MS12-001, is noteworthy for being classified as a "Security Features Bypass." That vulnerability impact designation represents a first for a Microsoft bulletin. This item blocks a reported problem in which an outsider could bypass the SafeSEH features in Microsoft C++ .NET. If exploited, the flaw could allow an attacker to bypass security protocols and load harmful code on a machine.
Many third-party security experts, including Joshua Talbot, a security intelligence manager at Symantec Security Response, believe that this important item should be put at the top of IT's "to-do" list.
"Although only rated important, we actually picked the Assembly Execution Vulnerability as the most severe issue this month," said Talbot. "The vulnerability is due to an oversight that allows an attacker to run malware as soon as a user opens a Word or PowerPoint file. E-mail attachments will probably be the most common attack method in which this vulnerability is exploited."
Another notable bulletin this month includes a fix for a Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0. flaw (bulletin MS12-006) that could be exploited with a toolkit called BEAST, which was demonstrated last September. According to those demonstrating the flaw, an attacker could have malicious code uploaded and executed on a computer within 10 minutes.
In response, Microsoft released Security Advisory 2588513 that documented a possible workaround. The advisory notes that Microsoft is working on a permanent fix. The plan was to release the bulletin in last month's security update, but Microsoft had to pull it at the last moment when it encountered compatibility issues with third-party software.
Three of the four remaining important bulletins target two remote code execution vulnerabilities and one elevation of privilege flaw in Windows, while the final bulletin deals with an information disclosure issue in Microsoft's Anti-Cross Site Scripting (AntiXSS) Library.
Detailed information and suggestions for the deployment of January's security update can be found here. Most of the fixes will require a restart to take effect.
With the arrival of Patch Tuesday, it is also a good time to remind many who might have missed it over the holidays of the out-of-band patch released by Microsoft on Dec. 29. This bulletin addressed three issues with Microsoft's framework for ASP.NET.