Microsoft patches critical Windows drive-by bug

Also beefs up defenses of aged apps

1 2 Page 2
Page 2 of 2

Although Microsoft would not confirm last week that the BEAST bug would be on today's slate, most researchers put their money on its release.

MS12-001 was also out of the ordinary: It was the first that Microsoft branded as a "security feature bypass" vulnerability.

As several experts guessed last week, today's MS12-001 patched Windows to ensure an anti-exploit technology dubbed "SafeSEH" cannot be bypassed by attackers targeting older applications created with Visual C++ .Net 2003, a developer toolset that shipped in April 2003.

Applications built with later versions of C++ .Net are immune to the vulnerability.

Rather than require application developers to recompile their work, said Storms, Microsoft has instead tweaked Windows. "Windows now knows how to correctly read the metadata," Storms said.

Windows XP Service Pack 3 (SP3), the only currently-supported version of the decade-old OS, isn't vulnerable to the bug, Microsoft said. But newer editions, including Windows Vista, Windows 7, Server 2008 and Server 2008 R2, are.

Miller was pessimistic about hackers' chances exploiting this vulnerability, too.

"They're going to have to find an application [written with C++ .Net 2003], then package this with another vulnerability," Miller said. "They'll have to hunt and peck to find [a target], which are rare," he added, because of the age of that language, and thus the age of the applications written with it.

Microsoft published additional information about MS12-001 on its Security Research & Defense blog today.

December's security patches -- with the exception of MS12-007 -- can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

The MS12-007 update, which affects a library used by third-party developers to deflect cross-site scripting (XSS) attacks, is currently available only as a manual download from Microsoft's download center.

"The update will also be provided through our other standard distribution methods once testing has been completed to ensure distribution will be successful through these channels," Microsoft said in the accompanying write-up of the vulnerability.

Miller was dubious.

"They've said this before," Miller said, "but I haven't seen them pop up on Windows Update. These are the kind that can easily get by customers."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

See more articles by Gregg Keizer.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
  
Shop Tech Products at Amazon