This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft and Adobe release first major patch bundles of 2012

Share this article:
Microsoft to release 13 bulletins covering 22 vulnerabilities on its August Patch Tuesday
Microsoft to release 13 bulletins covering 22 vulnerabilities on its August Patch Tuesday

Microsoft released seven bulletins last night to fix one critical issue on its first Patch Tuesday of 2012.

Of the eight vulnerabilities, one is rated critical in severity, with the remaining six classified as important. According to Trustworthy Computing spokesperson Angela Gunn, one of the patches covers the SSL issue that was pulled from the December release.

Gunn said: “Last month we announced a bulletin addressing the SSL issue we described in Security Advisory 2588513. Days before release, we noted a compatibility problem that might have affected certain users of third-party products, and decided to hold that bulletin until we could complete further investigation.

“We're re-releasing that bulletin today as MS12-006; we're also providing further information and guidance to customers with a Knowledge Base article and a Fix-it that will be useful in certain installation circumstances.”

This patch resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0 that could allow information disclosure and affects the protocol itself; it is not specific to the Windows operating system.

Paul Henry, security and forensic analyst at Lumension, said: “It's interesting to note that despite all of the hype over ‘The BEAST', attacks have simply never materialised and the issue has retained its ‘important' classification from Microsoft. Overall, we saw a reduction in the number of critical issues from Microsoft in 2011.

“To that end, we can anticipate Microsoft will bolster defence-in-depth efforts and will likely increase the numbers of important issues like privilege escalation.”

Wolfgang Kandek, CTO at Qualys, said: “MS12-006 is the mentioned fix for the BEAST attack and should be deployed on all of your webservers. BEAST was first demonstrated at the September 2011 Ekoparty conference in Buenos Aires and is a crypto attack against SSL/TLS that allows the attacker to decode and eavesdrop on HTTPS sessions.

“If you did miss the MS11-100 release over the holidays, now is a good time to take the opportunity to bundle both together. Tools for triggering MS11-100 are actively being researched and are very simple to build, meaning that they will soon get added to the common DoS tools.”

The critical patch was released for MS12-004 that fixes two vulnerabilities in Windows Media Player: one critical in MIDI playing and one important in the closed caption (CC) interpretation.

“The vulnerabilities are relatively easy to trigger and require a specially crafted media input file. Attacks against these vulnerabilities can be both through email or hosting the media file on a website. They have the potential to be used in a drive-by-download attack,” said Kandek.

Jason Miller, manager of research and development at VMware, said: “As media files are extremely popular for viewing and sharing, administrators should patch this bulletin on their workstation machines as soon as possible. It is important to note that newer operating systems (Windows 7, Windows 2008 R2) are not affected by one of the vulnerabilities. These machines will only show one patch missing whereas older Microsoft operating systems (Windows XP, Vista, 2003, 2008) will require two patches to fully fix the vulnerabilities in this security bulletin.”

Adobe also released patches for critical vulnerabilities in its Reader and Acrobat X products yesterday. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

These follow an emergency patch released in December for Acrobat and Reader. Adobe recommended users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). For users of Adobe Reader 9.4.7 and earlier versions for Windows and Macintosh who cannot update to Adobe Reader X (10.1.2), Adobe has made available the update Adobe Reader 9.5.

Adobe recommends users of Adobe Acrobat X (10.1.1) for Windows and Macintosh update to Adobe Acrobat X (10.1.2). It recommends users of Adobe Acrobat 9.4.7 and earlier versions for Windows and Macintosh update to 9.5.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Researcher develops BadUSB code to compromise USB sticks - and their computer hosts

Researcher develops BadUSB code to compromise USB sticks ...

Karsten Nohl also reveals how an enhanced security approach can beat his USB architecture compromise.

Cybercrime threat landscape evolving rapidly

Cybercrime threat landscape evolving rapidly

New research claims to show that, whilst spam levels fell to a five-year low last month, the increasing complexity of cyber-criminal attacks shows no sign of easing, with increasing levels ...

Tor Project unearths attack that identifies users

Tor Project unearths attack that identifies users

Users of The Onion Router (TOR) network have been warned of an attack that could deanonymise them if they used the service from February to July this year.