Microsoft Readies 7 Fixes For Upcoming Patch Tuesday

Microsoft has provided network administrators with a heads up about its forthcoming Patch Tuesday update, announcing seven patches in its first bug fix of the new year.

The company fixed vulnerabilities in all versions of the Windows operating system, including Windows 7 and Windows Server 2008 R2, according to Microsoft’s advance notification announcement released 5 January.

Only one of the seven bulletins is rated “critical,” and the remaining ones are rated “important.” The critical bulletin, which fixes a remote code execution issue in Media Player, can be downgraded to “important” for Windows 7 and Windows 2008 R2 users, according to the advisory.

Bug Fixes

Microsoft is expected to release the updates for January’s Patch Tuesday on 10 January.

Six of the bulletins fixed holes in various versions of Windows, and only one would cover Microsoft Developer Tools. “Windows 7 and 2008 R2 have less exposure” as two of the bulletins don’t apply to them at all, according to Wolfgang Kandek, CTO of Qualys.

The non-critical bulletins handle the Secure Sockets Layer (SSL) vulnerability affecting Web servers that could be exploited by the BEAST tool and various information disclosure and escalation of privilege issues, according to Paul Henry, security and forensic analyst at Lumension. Microsoft also will update its Structured Exception Handling Overwrite Protection technology, a defence-in-depth capability that makes it harder for attackers to successfully exploit legacy applications, according to Henry.

The BEAST/SSL patch was supposed to have been included in December’s Patch Tuesday release but had been pulled at the last minute due to some testing problems involving a third-party vendor, according to Microsoft. Henry noted that despite all the hype after the BEAST attack tool was released over the summer, attacks exploiting the SSL flaw “simply never materialised.”

One of the bulletins rated as important will fix an issue described as a “security feature bypass,” a label Microsoft has not used previously. An SFB-class issue can’t be directly exploited by an attacker but would be used to exploit another vulnerability, Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, wrote on the Microsoft Security Response Center blog. A more detailed analysis would be available when the patches go live, according to Gunn.

“It will be interesting to see, which exact Windows features are involved and how this vulnerability can be used by attackers,” Kandek said.

Emergency Fix

A SFB-class flaw may cover cases where users turn off a Windows security safeguard, speculated Andrew Storms, director of security operations for nCircle. “It’s not exactly a software bug, but it’s a condition that could allow attackers much more room to manoeuvre,” Storms told eWEEK.

Microsoft issued an out-of-band security update on 29 December to close four serious vulnerabilities in the .NET framework. One of the vulnerabilities could be exploited to launch hash collision attacks on Web applications built on ASP.NET and trigger a denial of service. The .NET patch had originally been scheduled for the January release, but the company moved up the date in order to issue the ASP.NET fix as an emergency patch.

The DoS zero-day exists in other Web application frameworks as well. But Microsoft and Apache appear to be the only ones who have addressed the issue to date.