Microsoft has announced that it will release seven bulletins addressing eight vulnerabilities on its first patch Tuesday of 2012.
Only one of the patches is rated as ‘critical' and affects a remote code execution flaw in Windows; five patches are rated as ‘important' and affect remote code execution, information disclosure, security feature bypass and elevation of privilege flaws in Windows. The remaining patch affects an important information disclosure flaw in Microsoft developer tools and software.
Microsoft Trustworthy Computing spokesperson Angela Gunn said security feature bypass is an issue that cannot be leveraged by an attacker; rather a would-be attacker would use it to facilitate use of another exploit.
Wolfgang Kandek, CTO of Qualys, said: “Microsoft is starting 2012 with a surprisingly large first release of seven security bulletins covering eight separate vulnerabilities. In past years we usually had relatively small January release containing only one or two bulletins.
“The first six bulletins affect various versions of the Windows Operating System, from XP SP3 up to the newest versions Windows 7 and Windows 2008 R2. The seventh bulletin covers Microsoft Developer Tools.
“Please be also aware that both Adobe and Oracle will release their quarterly updates this month as well. Parts of Adobe's release will cover CVE-2011-4369 in Adobe Reader X, which they had addressed for Adobe Reader 9 out-of-band due to exploits in the wild on 16 December.”
Paul Henry, security and forensic analyst, Lumension, said: “The critical bulletin fixes a remote code execution issue in Media Player, while the remaining important bulletins handle the Beast SSL issue and various information disclosure issues, escalation of privilege issues and an update to Microsoft's SEHOP technology to enhance the defense-in-depth capability that it can afford to legacy applications.
“Interesting to note that despite all of the hype over ‘The Beast', attacks have simply never materialised and the issue has retained its ‘important' classification from Microsoft.”
Microsoft released a workaround for publicly disclosed vulnerability in web application platforms, including Microsoft's ASP.NET, over Christmas. Henry said that for users with web-facing assets using .Net/ASP who have not already installed the out-of-band patch, this is the greatest priority.