2012's first Patch Tuesday has seven bulletins, including the postponed bulletin from December 2011 that addresses the BEAST style information disclosure. Talking about changes in schedules, Microsoft also released a bulletin MS11-100 for ASP.NET originally planned for this January between Christmas and New Years of 2011, which you might have missed.


Our highest priority is MS12-004, which fixes two vulnerabilities in Windows Media Player, one critical in MIDI playing, one important in the closed caption (CC) interpretation. The vulnerabilities are relatively easy to trigger and require a specially crafted media input file. Attacks against these vulnerability can be both through e-mail or hosting the media file on a website. They have the potential to be used in a drive-by-download attack.

Next on our list is MS12-005, a vulnerability in the Windows .NET packager that can be triggered through a malicious Microsoft Office Word or PowerPoint document. Microsoft rates it only as 'important', but we consider vulnerabilities that only rely on a user opening a file critical enough to move them up in priority.

MS12-006 is the mentioned fix for the BEAST attack and should be deployed on all of your webservers. BEAST was first demonstrated at the September 2011 Ekoparty conference in Buenos Aires and is a crypto attack against SSL/TLS that allows the attacker to decode and eavesdrop on HTTPS sessions. If you did miss the MS11-100 release over the holidays, now is a good time to take the opportunity to bundle both together. Tools for triggering MS11-100 are actively being researched and are very simple to build, meaning that they will soon get added to the common DoS tools, maybe even to the one advertised here by Crista.

MS12-001 is the bulletin that was tagged as addressing a 'Security Feature Bypass' flaw. This is a new category and Microsoft has written a blog post explaining the details involved. In summary: a certain version of Visual-C (2003 RTM) implemented the the SAFESEH security measure in a way that Windows XP, 2003, Vista, Win7 and 2008 were unable to read the information and fell back to run the binary without the SAFESEH handler. Binaries compiled with the later versions of Visual-C (starting with SP1) are generated correctly and MS12-001 now changes the affected Windows Operating systems to be able to read the older format as well. There is no direct vulnerability here, but an attacker would have to identify a software compiled with the old version of Visual-C, find a vulnerability in it and code an exploit that would use the SEH exploit mechanism. Install it when you can, as it is a useful defense-in-depth measure.


Author: Wolfgang Kandek, CTO, Qualys.