[Security] January 2012 Microsoft Super Tuesday
The January 2012 monthly update from Microsoft weighed in with a relatively light eight bulletins and nine CVEs addressed. Only one of these bulletins, “ MS12-004 : Vulnerabilities in Windows Media Could Allow Remote Code Execution“ was rated critical (It also happens to contain a fix one my disclosures, CVE-2012-0003.) Here’s a breakdown of the bulletins that I felt are especially noteworthy.
MS12-005 : Vulnerability in Microsoft Windows Could Allow Remote Code Execution
This vaguely titled update patches a hole in Windows object packager’s protection for running unsafe file types. The object packager is used as a way to embed arbitrary file into things like Office documents. Certain file types, like executables, are inherently dangerous to automatically run, so protection was built into the packager to present a warning dialog asking for permission before launching them. A particular file type was left off from the black-list of unsafe file types and therefore can be launched without any warning or user interaction. Although this vulnerability was privately reported, the bulletin gives enough information that I wouldn’t be surprised to see malicious documents exploiting this issue appearing after the update is released. Consider applying this update immediately or if that isn’t feasible, applying the workaround provided in the bulletin.
MS12-004 : Vulnerabilities in Windows Media Could Allow Remote Code Execution
Two privately reported remote code execution vulnerabilities were addressed in this critical update. CVE-2012-0003 addresses a vulnerability in the Windows multimedia library when dealing with unexpected values when processing MIDI files that can be leveraged for code execution. The issue is in the library itself, and not an individual music player or application so the potential exists for any application using the vulnerable API functions to be exploitable. The other vulnerability is in how the DirectShow library parses certain specially crafted subtitles. These subtitles can be embedded in common video container formats such as AVI or ASF.
MS12-006 : Vulnerability in SSL/TLS Could Allow Information Disclosure
A few months ago there was a demonstration of a proof of concept called BEAST that could decode session cookies from a SSL/TLS connection. The vulnerability that made this possible was the fact that the SSL 3.0 and TLS 1.0 protocols implicitly use the last ciphertext block as the initialization vector (IV) when using cyclical block cipher (CBC) ciphersuites. This implicit IV vulnerability was addressed in this update. This vulnerability has been known about for a long time (and was addressed in TLS 1.1) and practical exploitation is still somewhat difficult to achieve in most situations.
Other
In the first “Patch Tuesday” of 2012, Microsoft is releasing seven security bulletins to address software issues an attacker could use to remotely exploit and take control of infected Windows systems. Patch Tuesdayoccurs on the second Tuesday of each month and on that day Microsoft releases security patches to fix vulnerabilities found in their products.
The following table summarizes the security bulletins for this month in order of severity.
Bulletin IDMaximum Severity Rating and Vulnerability ImpactRestart RequirementAffected SoftwareBulletin 1 Critical
Remote Code Execution Requires restart Microsoft Windows
Bulletin 2 Important
Security Feature Bypass Requires restart Microsoft Windows
Bulletin 3 Important
Remote Code Execution May require restart Microsoft Windows
Bulletin 4 Important
Elevation of Privilege Requires restart Microsoft Windows
Bulletin 5 Important
Remote Code Execution May require restart Microsoft Windows
Bulletin 6 Important
Information Disclosure Requires restart Microsoft Windows
Bulletin 7 Important
Information Disclosure May require restart Microsoft Developer Tools and Software
Table 1 – Table Summarizes the Security Bulletins
We are hoping this month’s patches with address the Browser Exploit Against SSL/TLS or the BEAST that seemed to have been canceled last month due a third-party vendor who reported compatibility issues with the patch
Updates for other security issues are available from the following locations:
Security updates are available from Microsoft Download Center. You can find them most easily by doing a keyword search for “security update”.
Updates for consumer platforms are available from Microsoft Update.
You can obtain the security updates offered this month on Windows Update, from Download Center on Security and Critical Releases ISO CD Image files. For more information, see Microsoft Knowledge Base Article 913086.
If you are interested in learning more on how to improve security and optimize your IT infrastructure, and would like to participate with other IT Pros on security topics check out the IT Pro Security Community.
Also strengthening its software is Adobe, which on Jan. 10th released critical updates for Adobe Reader X and Adobe Acrobat X and Google, which recently released Chrome version 16.0.9212.75, fixing three high-priority bugs in the Web browser.
Comments
Post a Comment
Để lại góp ý của bạn để blog của mình hoàn thiện hơn :))