This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft and Adobe release first major patch bundles of 2012

Share this article:
Microsoft to release 13 bulletins covering 22 vulnerabilities on its August Patch Tuesday
Microsoft to release 13 bulletins covering 22 vulnerabilities on its August Patch Tuesday

Microsoft released seven bulletins last night to fix one critical issue on its first Patch Tuesday of 2012.

Of the eight vulnerabilities, one is rated critical in severity, with the remaining six classified as important. According to Trustworthy Computing spokesperson Angela Gunn, one of the patches covers the SSL issue that was pulled from the December release.

Gunn said: “Last month we announced a bulletin addressing the SSL issue we described in Security Advisory 2588513. Days before release, we noted a compatibility problem that might have affected certain users of third-party products, and decided to hold that bulletin until we could complete further investigation.

“We're re-releasing that bulletin today as MS12-006; we're also providing further information and guidance to customers with a Knowledge Base article and a Fix-it that will be useful in certain installation circumstances.”

This patch resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0 that could allow information disclosure and affects the protocol itself; it is not specific to the Windows operating system.

Paul Henry, security and forensic analyst at Lumension, said: “It's interesting to note that despite all of the hype over ‘The BEAST', attacks have simply never materialised and the issue has retained its ‘important' classification from Microsoft. Overall, we saw a reduction in the number of critical issues from Microsoft in 2011.

“To that end, we can anticipate Microsoft will bolster defence-in-depth efforts and will likely increase the numbers of important issues like privilege escalation.”

Wolfgang Kandek, CTO at Qualys, said: “MS12-006 is the mentioned fix for the BEAST attack and should be deployed on all of your webservers. BEAST was first demonstrated at the September 2011 Ekoparty conference in Buenos Aires and is a crypto attack against SSL/TLS that allows the attacker to decode and eavesdrop on HTTPS sessions.

“If you did miss the MS11-100 release over the holidays, now is a good time to take the opportunity to bundle both together. Tools for triggering MS11-100 are actively being researched and are very simple to build, meaning that they will soon get added to the common DoS tools.”

The critical patch was released for MS12-004 that fixes two vulnerabilities in Windows Media Player: one critical in MIDI playing and one important in the closed caption (CC) interpretation.

“The vulnerabilities are relatively easy to trigger and require a specially crafted media input file. Attacks against these vulnerabilities can be both through email or hosting the media file on a website. They have the potential to be used in a drive-by-download attack,” said Kandek.

Jason Miller, manager of research and development at VMware, said: “As media files are extremely popular for viewing and sharing, administrators should patch this bulletin on their workstation machines as soon as possible. It is important to note that newer operating systems (Windows 7, Windows 2008 R2) are not affected by one of the vulnerabilities. These machines will only show one patch missing whereas older Microsoft operating systems (Windows XP, Vista, 2003, 2008) will require two patches to fully fix the vulnerabilities in this security bulletin.”

Adobe also released patches for critical vulnerabilities in its Reader and Acrobat X products yesterday. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

These follow an emergency patch released in December for Acrobat and Reader. Adobe recommended users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). For users of Adobe Reader 9.4.7 and earlier versions for Windows and Macintosh who cannot update to Adobe Reader X (10.1.2), Adobe has made available the update Adobe Reader 9.5.

Adobe recommends users of Adobe Acrobat X (10.1.1) for Windows and Macintosh update to Adobe Acrobat X (10.1.2). It recommends users of Adobe Acrobat 9.4.7 and earlier versions for Windows and Macintosh update to 9.5.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

NCA wants security pros to become cybercrime fighters

NCA wants security pros to become cybercrime fighters

The UK's National Crime Agency is on the hunt for cyber security professionals to "join the fight against some of the world's most significant cyber criminals" on salaries ranging from ...

GCHQ head says agency was 'never involved in mass surveillance'

GCHQ head says agency was 'never involved in ...

Sir Iain Lobban says GCHQ staff "are normal decent human beings who watch EastEnders and Spooks".

Apple Mac OS criticised for sending search results to third parties

Apple Mac OS criticised for sending search results ...

Apple is under pressure to make changes to the Spotlight feature on the new Mac OS X Yosemite 10.10, which tracks location and sends data back to the firm and ...