Microsoft patches critical Windows drive-by bug

Also beefs up defenses of aged apps

Microsoft today shipped seven security updates that patched eight vulnerabilities in Windows and a code library used to protect Web applications from cross-site scripting attacks.

As experts expected, today Microsoft issued the patch it pulled at the last minute in December 2011.

Only one of the seven updates was labeled "critical," Microsoft's highest threat ranking; the others were marked "important." Of the eight vulnerabilities, Microsoft classified seven as important, one as critical.

MS12-004 , which plugs two holes in Windows Media Player, was the unanimous choice of security experts as the first update to deploy.

"It's a drive-by," noted Andrew Storms, director of security operations at nCircle Security, referring to attacks triggered when users simply browse to a malicious site. The bug, which is within Media Player's parsing of MIDI-formatted files, exists within Windows XP, Vista, Server 2003 and Server 2008, but not the newest editions, Windows 7 and Server 2008 R2.

"It looks like the Windows 7 guys fixed it already," said Storms.

Others also tagged MS12-004 as the update to apply pronto.

The second of the two bugs patched by MS12-004, said Wolfgang Kandek, chief technology officer at Qualys, is within the closed captioning feature of Windows Media Player. Kandek guessed that Microsoft rated that flaw as important -- rather than critical, as it did the MIDI file format vulnerability -- "because most people don't have it on by default."

"I'm sticking with MS12-004, too," said Jason Miller, manager of research and development at VMware.

Kandek and Miller named MS12-005 as another update to install as soon as possible.

That update patches a single vulnerability in the ClickOnce feature of Microsoft Office documents. Microsoft gave the bug an exploitability index rating of "1," meaning the company expects reliable exploit code to appear in the wild in the next 30 days.

Kandek noted that Microsoft pegged MS12-005 as important, not critical, even though it could be used to plant malware on a machine. "They did that because there is some user intervention required," said Kandek. "A user would have to open an Office file and then click on something."

Miller also found MS12-005 interesting, but argued against Microsoft's exploitability rating, downplaying the likelihood that attackers would actually leverage the bug.

"Some will probably figure it out, but I'm guessing that the ClickOnce technology isn't something most attackers are very well versed with," said Miller. To exploit the vulnerability on an unpatched PC, hackers would have to know -- or learn -- how to create a ClickOnce application, then embed it in, say, a Word or PowerPoint document.

Other bulletins that drew experts' eyes included MS12-006 and MS12-001 that patched Windows to block attacks using an available hacking tool and to stymie assaults against older Web apps.

MS12-006 fixed a long-standing issue in SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 within Windows that was publicized last September by a pair of researchers who built BEAST, or "Browser Exploit Against SSL/TLS," a hacking tool and the first-ever practical exploit of an flaw known since 2003.

Microsoft was set to quash the bug exploited by BEAST last month, but scratched the release just before December's Patch Tuesday because German enterprise developer SAP reported compatibility problems.

Although Microsoft would not confirm last week that the BEAST bug would be on today's slate, most researchers put their money on its release.

MS12-001 was also out of the ordinary: It was the first that Microsoft branded as a "security feature bypass" vulnerability.

As several experts guessed last week, today's MS12-001 patched Windows to ensure an anti-exploit technology dubbed "SafeSEH" cannot be bypassed by attackers targeting older applications created with Visual C++ .Net 2003, a developer toolset that shipped in April 2003.

Applications built with later versions of C++ .Net are immune to the vulnerability.

Rather than require application developers to recompile their work, said Storms, Microsoft has instead tweaked Windows. "Windows now knows how to correctly read the metadata," Storms said.

Windows XP Service Pack 3 (SP3), the only currently-supported version of the decade-old OS, isn't vulnerable to the bug, Microsoft said. But newer editions, including Windows Vista, Windows 7, Server 2008 and Server 2008 R2, are.

Miller was pessimistic about hackers' chances exploiting this vulnerability, too.

"They're going to have to find an application [written with C++ .Net 2003], then package this with another vulnerability," Miller said. "They'll have to hunt and peck to find [a target], which are rare," he added, because of the age of that language, and thus the age of the applications written with it.

Microsoft published additional information about MS12-001 on its Security Research & Defense blog today.

December's security patches -- with the exception of MS12-007 -- can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

The MS12-007 update, which affects a library used by third-party developers to deflect cross-site scripting (XSS) attacks, is currently available only as a manual download from Microsoft's download center.

"The update will also be provided through our other standard distribution methods once testing has been completed to ensure distribution will be successful through these channels," Microsoft said in the accompanying write-up of the vulnerability.

Miller was dubious.

"They've said this before," Miller said, "but I haven't seen them pop up on Windows Update. These are the kind that can easily get by customers."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Error: Please check your email address.

More about Andrew Corporation (Australia)AppleASTGoogleMicrosoftnCircleQualysSAP AustraliaTopicVMware Australia

Show Comments

Market Place

[]