Microsoft released seven bulletins last night to fix one critical issue on its first Patch Tuesday of 2012.
Of the eight vulnerabilities, one is rated critical in severity, with the remaining six classified as important. According to Trustworthy Computing spokesperson Angela Gunn, one of the patches covers the SSL issue that was pulled from the December release.
Gunn said: “Last month we announced a bulletin addressing the SSL issue we described in Security Advisory 2588513. Days before release, we noted a compatibility problem that might have affected certain users of third-party products, and decided to hold that bulletin until we could complete further investigation.
“We're re-releasing that bulletin today as MS12-006; we're also providing further information and guidance to customers with a Knowledge Base article and a Fix-it that will be useful in certain installation circumstances.”
This patch resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0 that could allow information disclosure and affects the protocol itself; it is not specific to the Windows operating system.
Paul Henry, security and forensic analyst at Lumension, said: “It's interesting to note that despite all of the hype over ‘The BEAST', attacks have simply never materialised and the issue has retained its ‘important' classification from Microsoft. Overall, we saw a reduction in the number of critical issues from Microsoft in 2011.
“To that end, we can anticipate Microsoft will bolster defence-in-depth efforts and will likely increase the numbers of important issues like privilege escalation.”
Wolfgang Kandek, CTO at Qualys, said: “MS12-006 is the mentioned fix for the BEAST attack and should be deployed on all of your webservers. BEAST was first demonstrated at the September 2011 Ekoparty conference in Buenos Aires and is a crypto attack against SSL/TLS that allows the attacker to decode and eavesdrop on HTTPS sessions.
“If you did miss the MS11-100 release over the holidays, now is a good time to take the opportunity to bundle both together. Tools for triggering MS11-100 are actively being researched and are very simple to build, meaning that they will soon get added to the common DoS tools.”
The critical patch was released for MS12-004 that fixes two vulnerabilities in Windows Media Player: one critical in MIDI playing and one important in the closed caption (CC) interpretation.
“The vulnerabilities are relatively easy to trigger and require a specially crafted media input file. Attacks against these vulnerabilities can be both through email or hosting the media file on a website. They have the potential to be used in a drive-by-download attack,” said Kandek.
Jason Miller, manager of research and development at VMware, said: “As media files are extremely popular for viewing and sharing, administrators should patch this bulletin on their workstation machines as soon as possible. It is important to note that newer operating systems (Windows 7, Windows 2008 R2) are not affected by one of the vulnerabilities. These machines will only show one patch missing whereas older Microsoft operating systems (Windows XP, Vista, 2003, 2008) will require two patches to fully fix the vulnerabilities in this security bulletin.”
Adobe also released patches for critical vulnerabilities in its Reader and Acrobat X products yesterday. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.
These follow an emergency patch released in December for Acrobat and Reader. Adobe recommended users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). For users of Adobe Reader 9.4.7 and earlier versions for Windows and Macintosh who cannot update to Adobe Reader X (10.1.2), Adobe has made available the update Adobe Reader 9.5.
Adobe recommends users of Adobe Acrobat X (10.1.1) for Windows and Macintosh update to Adobe Acrobat X (10.1.2). It recommends users of Adobe Acrobat 9.4.7 and earlier versions for Windows and Macintosh update to 9.5.