Skip the navigation

Microsoft patches critical Windows drive-by bug

Also beefs up defenses of aged apps

January 10, 2012 04:19 PM ET

Computerworld - Microsoft today shipped seven security updates that patched eight vulnerabilities in Windows and a code library used to protect Web applications from cross-site scripting attacks.

As experts expected, today Microsoft issued the patch it pulled at the last minute in December 2011.

Only one of the seven updates was labeled "critical," Microsoft's highest threat ranking; the others were marked "important." Of the eight vulnerabilities, Microsoft classified seven as important, one as critical.

MS12-004, which plugs two holes in Windows Media Player, was the unanimous choice of security experts as the first update to deploy.

"It's a drive-by," noted Andrew Storms, director of security operations at nCircle Security, referring to attacks triggered when users simply browse to a malicious site. The bug, which is within Media Player's parsing of MIDI-formatted files, exists within Windows XP, Vista, Server 2003 and Server 2008, but not the newest editions, Windows 7 and Server 2008 R2.

"It looks like the Windows 7 guys fixed it already," said Storms.

Others also tagged MS12-004 as the update to apply pronto.

The second of the two bugs patched by MS12-004, said Wolfgang Kandek, chief technology officer at Qualys, is within the closed captioning feature of Windows Media Player. Kandek guessed that Microsoft rated that flaw as important -- rather than critical, as it did the MIDI file format vulnerability -- "because most people don't have it on by default."

"I'm sticking with MS12-004, too," said Jason Miller, manager of research and development at VMware.

Kandek and Miller named MS12-005 as another update to install as soon as possible.

That update patches a single vulnerability in the ClickOnce feature of Microsoft Office documents. Microsoft gave the bug an exploitability index rating of "1," meaning the company expects reliable exploit code to appear in the wild in the next 30 days.

Kandek noted that Microsoft pegged MS12-005 as important, not critical, even though it could be used to plant malware on a machine. "They did that because there is some user intervention required," said Kandek. "A user would have to open an Office file and then click on something."

Miller also found MS12-005 interesting, but argued against Microsoft's exploitability rating, downplaying the likelihood that attackers would actually leverage the bug.

"Some will probably figure it out, but I'm guessing that the ClickOnce technology isn't something most attackers are very well versed with," said Miller. To exploit the vulnerability on an unpatched PC, hackers would have to know -- or learn -- how to create a ClickOnce application, then embed it in, say, a Word or PowerPoint document.

Other bulletins that drew experts' eyes included MS12-006 and MS12-001 that patched Windows to block attacks using an available hacking tool and to stymie assaults against older Web apps.

MS12-006 fixed a long-standing issue in SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 within Windows that was publicized last September by a pair of researchers who built BEAST, or "Browser Exploit Against SSL/TLS," a hacking tool and the first-ever practical exploit of an flaw known since 2003.

Microsoft was set to quash the bug exploited by BEAST last month, but scratched the release just before December's Patch Tuesday because German enterprise developer SAP reported compatibility problems.



Our Commenting Policies