Microsoft Patches SSL BEAST
In the first Patch Tuesday of 2012, Microsoft fixes an old issue and warns about a new security bypass risk.
Microsoft is kicking off its 2012 Patch Tuesday release cycle with seven security bulletins. Among the items patched is an SSL issue that has been known publicly since at least September 2011.
The January Patch Tuesday update provides a fix for the SSL BEAST attack (an acronym for Browser Exploit Against SSL/TLS). The BEAST exploit takes advantage of a weakness in the TLS 1.0 version of SSL to decrypt encrypted HTTPS requests. Microsoft had originally planned to patch the flaw in its December Patch update .
"MS12-006 patches the SSL vulnerability which was scrapped last month, reportedly because of incompatibility issues with SAP," Marcus Carey, security researcher at security vendor Rapid 7 said in an email sent to InternetNews.com. "This pulled patch last month emphasizes the point that organizations need to test patches for compatibility before patching."
Carey noted that in the case with SAP, they have access to test patches before deployment. Smaller software providers might not have access to the patches before Microsoft releases them. He suggests that organizations should always test, then patch.
Microsoft is also introducing a new category of attack that they refer to as Security Feature Bypass risk. Microsoft security bulletin MS12-001 details a vulnerability in the Windows kernel that could potentially enable an attacker to bypass the SafeSEH (Safe Exception Handlers) feature.
"SafeSEH is a defense–in-depth security feature that is designed to make it more difficult for attackers to exploit certain types of vulnerabilities," Matt Miller, MSEC Security Science at Microsoft wrote in a TechNet blog post. "In particular, SafeSEH is designed to prevent attackers from using an attack technique known as an SEH overwrite."
In the case of MS12-001, an attacker is potentially able to use different vulnerabilities in order to leverage the structured exception handler to run arbitrary code. Microsoft notes in its advisory that only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability.
"In a perfect world, the right way to fix issues like this would be to have every developer rebuild their binaries with the latest version of .Net," Carey said. "This is impossible though, as it would mean hundreds of developers would have to rebuild tons of legacy binaries."
Carey added that the great thing about the MS12-001 patch is that it mitigates attacks regardless of the version of .Net used, essentially backporting older binaries to opt-in to structured Exception Handler Overwrite Protection (SEHOP) which is not at risk from the bypass.
The January Patch Tuesday update also fixes a pair of critical vulnerabilities in Windows Media that could enable remote code execution by an attacker.
"This vulnerability can be exploited by embedded malicious Windows Media Players in web pages," Carey said. "This should serve as a reminder that we should expect researchers and attackers to continue to exploit client applications such as media players and browsers."
Windows Media isn't the only Windows component that is being patched for a remote code execution vulnerability this month. A flaw in the Windows Object Packager could potentially lead to remote code execution. There is also a fix for remote code execution vulnerability in Microsoft Office.
"The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application," Microsoft warns in its advisory. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user."
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network.