Microsoft patches critical Windows drive-by bug
Also beefs up defenses of aged apps
Computerworld - Microsoft today shipped seven security updates that patched eight vulnerabilities in Windows and a code library used to protect Web applications from cross-site scripting attacks.
As experts expected, today Microsoft issued the patch it pulled at the last minute in December 2011.
Only one of the seven updates was labeled "critical," Microsoft's highest threat ranking; the others were marked "important." Of the eight vulnerabilities, Microsoft classified seven as important, one as critical.
MS12-004, which plugs two holes in Windows Media Player, was the unanimous choice of security experts as the first update to deploy.
"It's a drive-by," noted Andrew Storms, director of security operations at nCircle Security, referring to attacks triggered when users simply browse to a malicious site. The bug, which is within Media Player's parsing of MIDI-formatted files, exists within Windows XP, Vista, Server 2003 and Server 2008, but not the newest editions, Windows 7 and Server 2008 R2.
"It looks like the Windows 7 guys fixed it already," said Storms.
Others also tagged MS12-004 as the update to apply pronto.
The second of the two bugs patched by MS12-004, said Wolfgang Kandek, chief technology officer at Qualys, is within the closed captioning feature of Windows Media Player. Kandek guessed that Microsoft rated that flaw as important -- rather than critical, as it did the MIDI file format vulnerability -- "because most people don't have it on by default."
"I'm sticking with MS12-004, too," said Jason Miller, manager of research and development at VMware.
Kandek and Miller named MS12-005 as another update to install as soon as possible.
That update patches a single vulnerability in the ClickOnce feature of Microsoft Office documents. Microsoft gave the bug an exploitability index rating of "1," meaning the company expects reliable exploit code to appear in the wild in the next 30 days.
Kandek noted that Microsoft pegged MS12-005 as important, not critical, even though it could be used to plant malware on a machine. "They did that because there is some user intervention required," said Kandek. "A user would have to open an Office file and then click on something."
Miller also found MS12-005 interesting, but argued against Microsoft's exploitability rating, downplaying the likelihood that attackers would actually leverage the bug.
"Some will probably figure it out, but I'm guessing that the ClickOnce technology isn't something most attackers are very well versed with," said Miller. To exploit the vulnerability on an unpatched PC, hackers would have to know -- or learn -- how to create a ClickOnce application, then embed it in, say, a Word or PowerPoint document.
MS12-006 fixed a long-standing issue in SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 within Windows that was publicized last September by a pair of researchers who built BEAST, or "Browser Exploit Against SSL/TLS," a hacking tool and the first-ever practical exploit of an flaw known since 2003.
Microsoft was set to quash the bug exploited by BEAST last month, but scratched the release just before December's Patch Tuesday because German enterprise developer SAP reported compatibility problems.
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!