Microsoft patches critical Windows drive-by bug
Also beefs up defenses of aged apps
Computerworld - Microsoft today shipped seven security updates that patched eight vulnerabilities in Windows and a code library used to protect Web applications from cross-site scripting attacks.
As experts expected, today Microsoft issued the patch it pulled at the last minute in December 2011.
Only one of the seven updates was labeled "critical," Microsoft's highest threat ranking; the others were marked "important." Of the eight vulnerabilities, Microsoft classified seven as important, one as critical.
MS12-004, which plugs two holes in Windows Media Player, was the unanimous choice of security experts as the first update to deploy.
"It's a drive-by," noted Andrew Storms, director of security operations at nCircle Security, referring to attacks triggered when users simply browse to a malicious site. The bug, which is within Media Player's parsing of MIDI-formatted files, exists within Windows XP, Vista, Server 2003 and Server 2008, but not the newest editions, Windows 7 and Server 2008 R2.
"It looks like the Windows 7 guys fixed it already," said Storms.
Others also tagged MS12-004 as the update to apply pronto.
The second of the two bugs patched by MS12-004, said Wolfgang Kandek, chief technology officer at Qualys, is within the closed captioning feature of Windows Media Player. Kandek guessed that Microsoft rated that flaw as important -- rather than critical, as it did the MIDI file format vulnerability -- "because most people don't have it on by default."
"I'm sticking with MS12-004, too," said Jason Miller, manager of research and development at VMware.
Kandek and Miller named MS12-005 as another update to install as soon as possible.
That update patches a single vulnerability in the ClickOnce feature of Microsoft Office documents. Microsoft gave the bug an exploitability index rating of "1," meaning the company expects reliable exploit code to appear in the wild in the next 30 days.
Kandek noted that Microsoft pegged MS12-005 as important, not critical, even though it could be used to plant malware on a machine. "They did that because there is some user intervention required," said Kandek. "A user would have to open an Office file and then click on something."
Miller also found MS12-005 interesting, but argued against Microsoft's exploitability rating, downplaying the likelihood that attackers would actually leverage the bug.
"Some will probably figure it out, but I'm guessing that the ClickOnce technology isn't something most attackers are very well versed with," said Miller. To exploit the vulnerability on an unpatched PC, hackers would have to know -- or learn -- how to create a ClickOnce application, then embed it in, say, a Word or PowerPoint document.
MS12-006 fixed a long-standing issue in SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 within Windows that was publicized last September by a pair of researchers who built BEAST, or "Browser Exploit Against SSL/TLS," a hacking tool and the first-ever practical exploit of an flaw known since 2003.
Microsoft was set to quash the bug exploited by BEAST last month, but scratched the release just before December's Patch Tuesday because German enterprise developer SAP reported compatibility problems.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts