 |
|
|
|
|
|
|
|
|
|
|
|
Microsoft Patch Disclosure
January 10, 2012
Overview
This month, Microsoft released seven patches that fix a total of eight vulnerabilities. Of these vulnerabilities, four remote code execution vulnerabilities were patched, one elevation of privilege vulnerability was patched, one security feature bypass vulnerability was patched, and two information disclosure vulnerabilities were patched.
Patch Precedence
Administrators are advised to patch MS12-004 immediately to prevent exploitation by attackers. Next, administrators should patch MS12-001, MS12-002, MS12-003, MS12-005, and MS12-006 as soon as possible. Lastly, administrators should patch MS12-007 at their earliest convenience.
As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team. Register Now >>
|
|
|
|
|
|
|
|
|
Web Event:
Vulnerability Expert Forum (VEF)
Presenters:
The eEye Research Team
Date/Time:
Wednesday January 11th
1pm PT / 4pm ET / 9pm GMT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Bulletin/Advisory Details
MS12-001
Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)
Microsoft Rating: Important
CVE: CVE-2012-0001
Analysis
This bulletin addresses a privately reported security bypass vulnerability in the Windows Kernel. The patch fixes the way that NTDLL.dll inserts an SEH table into the "Load Configuration" PE header, while the binary is being executed. A local attacker that successfully exploited this vulnerability would be able to exploit other vulnerabilities without having to work around SEH protection.
Recommendations
Deploy patches as soon as possible. Until the patch can be installed, make sure that Structured Exception Handling Overwrite Protection (SEHOP) is enabled on affected systems. This mitigation is not available to XP and Server 2003 users. Additionally, developers are encouraged to use a version of Visual C++ more recent than 2003; using the most recent version of software is always advised as a security best practice (see the eEye configuration report at www.eeye.com/securityresearch for more information).
MS12-002
Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)
Microsoft Rating: Important
CVE: CVE-2012-0009
Analysis
This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Windows. The patch fixes how the Windows Object Packager is registered in the Windows Registry. On vulnerable systems, a user could open a legitimate document with an embedded packaged object, which would cause an executable in the same directory as the document to be launched, similar to how insecure library loading vulnerabilities. An attacker that successfully exploited this vulnerability would gain the ability to execute code with the same permissions as the program used to open the legitimate document.
Recommendations
Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall and prevent the WebClient service from running. Additionally, use the registry editor to set a full path to packager.exe in the default value of HKCRPackageProtocolStdFileEditingServer.
MS12-003
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)
Microsoft Rating: Important
CVE: CVE-2012-0005
Analysis
This bulletin addresses a privately reported elevation of privilege vulnerability in the Client/Server Run-Time Subsystem (CSRSS). The patch fixes a memory access violation that occurs when parsing certain Unicode characters. This only occurs on systems configured with Chinese, Japanese, or Korean locales. An attacker that successfully exploited this vulnerability would gain system level access to the target machine.
Recommendations
Deploy patches as soon as possible, since no mitigation is available.
MS12-004
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
Microsoft Rating: Critical
CVE List: CVE-2012-0003 & CVE-2012-0004
Analysis
This bulletin addresses two privately reported remote code execution vulnerabilities in Windows Media. The patch fixes a parsing vulnerability that occurs when parsing MIDI files and another vulnerability related to how DirectShow handles media files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendations
Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, disable MIDI files from being parsed and disable the Line21 filter for DirectShow.
MS12-005
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)
Microsoft Rating: Important
CVE List: CVE-2012-0013
Analysis
This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Windows. The patch fixes which filetypes are permitted to be embedded within documents, by changing the way Windows Packager determines if a file is unsafe. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendations
Deploy patches as soon as possible. Until the patch can be installed, unregister the .application file association in the Windows registry.
MS12-006
Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)
Microsoft Rating: Important
CVE: CVE-2011-3389
Analysis
This bulletin addresses a publicly reported information disclosure vulnerability in the Microsoft Windows SSL implementation, specifically within WinHTTP. The patch fixes how Windows Secure Channel (SChannel) transmits network packets. An attacker that successfully exploited this vulnerability would gain the ability to decrypt secure SSL communication, as well as inject attacker-controlled data, by using a man-in-the-middle attack.
Recommendations
Deploy patches as soon as possible. Until the patch can be installed, Enable TLS 1.1 and 1.2, prioritize the RC4 algorithm over CBC.
MS12-007
Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)
Microsoft Rating: Important
CVE: CVE-2012-0007
Analysis
This bulletin addresses a privately reported information disclosure vulnerability in the Microsoft Anti-Cross Site Scripting Library (AntiXSS). The patch fixes how the AntiXSS library filters certain HTML, so that it properly identifies XSS attacks. While the AntiXSS library itself is not vulnerable to cross-site scripting attacks, any website that filters data with certain AntiXSS functionality will be vulnerable to cross-site scripting attacks. An attacker that successfully exploited this vulnerability would gain the ability to execute cross-site scripting attacks on affected sites.
Recommendations
Deploy patches as soon as possible, since no mitigation is available.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Feedback
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers.
We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to products@eeye.com.
Disclaimer
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email products@eeye.com for permission. |
|
|
|
|
|
|
|
|
|
|
|
|
|