Beyondtrust

BeyondTrust Patch Tuesday

January 10, 2012

Microsoft Patch Disclosure

This month, Microsoft released seven patches that fix a total of eight vulnerabilities. Of these vulnerabilities, four remote code execution vulnerabilities were patched, one elevation of privilege vulnerability was patched, one security feature bypass vulnerability was patched, and two information disclosure vulnerabilities were patched.

Administrators are advised to patch MS12-004 immediately to prevent exploitation by attackers. Next, administrators should patch MS12-001, MS12-002, MS12-003, MS12-005, and MS12-006 as soon as possible. Lastly, administrators should patch MS12-007 at their earliest convenience. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The eEye Research Team
  • Date/Time: Wednesday January 11th
    1pm PT / 4pm ET / 9pm GMT

BULLETIN / ADVISORY DETAILS

MS12-001

Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)


Microsoft Rating:

Important

CVE:

CVE-2012-0001

 

Analysis:

This bulletin addresses a privately reported security bypass vulnerability in the Windows Kernel. The patch fixes the way that NTDLL.dll inserts an SEH table into the "Load Configuration" PE header, while the binary is being executed. A local attacker that successfully exploited this vulnerability would be able to exploit other vulnerabilities without having to work around SEH protection.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, make sure that Structured Exception Handling Overwrite Protection (SEHOP) is enabled on affected systems. This mitigation is not available to XP and Server 2003 users. Additionally, developers are encouraged to use a version of Visual C++ more recent than 2003; using the most recent version of software is always advised as a security best practice (see the eEye configuration report at www.eeye.com/securityresearch for more information).

 

MS12-002

Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)


Microsoft Rating:

Important

CVE:

CVE-2012-0009

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Windows. The patch fixes how the Windows Object Packager is registered in the Windows Registry. On vulnerable systems, a user could open a legitimate document with an embedded packaged object, which would cause an executable in the same directory as the document to be launched, similar to how insecure library loading vulnerabilities. An attacker that successfully exploited this vulnerability would gain the ability to execute code with the same permissions as the program used to open the legitimate document.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall and prevent the WebClient service from running. Additionally, use the registry editor to set a full path to packager.exe in the default value of HKCRPackageProtocolStdFileEditingServer.

 

MS12-003

Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)


Microsoft Rating:

Important

CVE:

CVE-2012-0005

 

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in the Client/Server Run-Time Subsystem (CSRSS). The patch fixes a memory access violation that occurs when parsing certain Unicode characters. This only occurs on systems configured with Chinese, Japanese, or Korean locales. An attacker that successfully exploited this vulnerability would gain system level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible, since no mitigation is available.

 

MS12-004

Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)


Microsoft Rating:

Critical

CVE List:

CVE-2012-0003 & CVE-2012-0004

 

Analysis:

This bulletin addresses two privately reported remote code execution vulnerabilities in Windows Media. The patch fixes a parsing vulnerability that occurs when parsing MIDI files and another vulnerability related to how DirectShow handles media files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, disable MIDI files from being parsed and disable the Line21 filter for DirectShow.

 

MS12-005

Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)


Microsoft Rating:

Important

CVE:

CVE-2012-0013

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Windows. The patch fixes which filetypes are permitted to be embedded within documents, by changing the way Windows Packager determines if a file is unsafe. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, unregister the .application file association in the Windows registry.

 

MS12-006

Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)


Microsoft Rating:

Important

CVE:

CVE-2011-3389

 

Analysis:

This bulletin addresses a publicly reported information disclosure vulnerability in the Microsoft Windows SSL implementation, specifically within WinHTTP. The patch fixes how Windows Secure Channel (SChannel) transmits network packets. An attacker that successfully exploited this vulnerability would gain the ability to decrypt secure SSL communication, as well as inject attacker-controlled data, by using a man-in-the-middle attack.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, Enable TLS 1.1 and 1.2, prioritize the RC4 algorithm over CBC.

 

MS12-007

Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)


Microsoft Rating:

Important

CVE:

CVE-2012-0007

 

Analysis:

This bulletin addresses a privately reported information disclosure vulnerability in the Microsoft Anti-Cross Site Scripting Library (AntiXSS). The patch fixes how the AntiXSS library filters certain HTML, so that it properly identifies XSS attacks. While the AntiXSS library itself is not vulnerable to cross-site scripting attacks, any website that filters data with certain AntiXSS functionality will be vulnerable to cross-site scripting attacks. An attacker that successfully exploited this vulnerability would gain the ability to execute cross-site scripting attacks on affected sites.

 

Recommendation:

Deploy patches as soon as possible, since no mitigation is available.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.