Microsoft plans big January Patch Tuesday

Mystery of the month, say experts, is what Microsoft means by 'security feature bypass' update

Microsoft today said it would deliver seven security updates next week -- tying the record for January -- to patch eight vulnerabilities in Windows and its developer tools.

But the company declined to confirm that the Jan. 10 slate will include a patch pulled at the last minute a month ago .

One of the seven updates was tagged "critical," the highest threat ranking in Microsoft's four-step system, while the others were marked "important," the second-highest rating, even though some of them could conceivably be exploited by attackers to plant malware on users' PCs.

Altogether, three of the updates were labeled as "remote code execution," meaning they could be used to hijack an unpatched system, Microsoft said in its monthly advance notification.

A twist to this month's Patch Tuesday is Microsoft's classification of one of the updates as "security feature bypass," a label it's never before applied.

"[Security feature bypass]-class issues in themselves can't be leveraged by an attacker," said Angela Gunn, a spokeswoman for the Microsoft Security Response Center, in a post to that group's blog today. "Rather, a would-be attacker would use them to facilitate use of another exploit."

Andrew Storms, director of security operations at nCircle Security, took a shot at deciphering the new category.

"Someone probably discovered a method to either turn off or bypass one of Windows security features that could let an attacker get in easier," said Storms, who said the possibilities of the vulnerable element could range from UAC -- for "user account control," the prompt users must click through to install software, to DEP and ASLR, two important anti-exploit technologies baked into Windows.

In an email, Paul Harvey, a security and forensic analyst with Lumension, flatly said that the security bypass feature (dubbed "SBF" by Microsoft) patch would "update ... Microsoft's SEHOP technology to enhance the defense-in-depth capability that it can afford to legacy applications."

SEHOP, or Structured Exception Handler Overwrite Protection, is a label for an anti-exploit technology that designed to block a now-common hacking technique first described in 2003, according to a Microsoft Security Research & Defense blog post from 2009.

Microsoft added SEHOP defenses to Windows with Vista Service Pack 1 (SP1); it's also inside Windows 7, Server 2008 and Server 2008 R2, although it's disabled by default on Vista and Windows 7, Microsoft says , "for compatibility reasons."

It's possible that Microsoft will enable SEHOP by default in those client editions of Windows with next Tuesday's patch.

Microsoft said it would publish more information about the SBF-related update next week.

The new category doesn't necessarily mean that Microsoft expects a slew of vulnerabilities that fit under the SBF label, said Storms, who had a simpler explanation.

"I think they just had an oddball and they didn't know what to do with it," said Storms. "Rather than try to shove it into an existing category, like remote code execution or elevation of privilege, they thought, 'Why muck with history? Let's just make a new one.'"

Microsoft declined to say whether next week's update tally will include a fix for a long-standing issue in SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 within Windows that was publicized last September by a pair of researchers who built BEAST, or "Browser Exploit Against SSL/TLS," a hacking tool and the first-ever practical exploit of the years-old flaw.

Although a patch for the bug exploited by BEAST was scheduled to ship in December 2011, Microsoft scratched the release at the last moment because German enterprise developer SAP reported compatibility problems.

"Microsoft continues to work with SAP and will release the update through our normal bulletin process," said Dave Forstrom, director of Microsoft's Trustworthy Computing group, today when asked if a BEAST patch was on the docket for next Tuesday.

"It's gonna be in there," said Storms of Microsoft's fix. "It's my understanding that the SAP patch is already out."

The seven updates next week will get 2012 off to a quick start for Microsoft, which has traditionally pushed a small number of updates to users in the year's first month. Microsoft released just two bulletins in January 2011, for example, two in 2010, one in 2009 and two in 2008.

Microsoft will release the seven updates at approximately 1 p.m. ET on Jan. 10.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2012 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon