Next Microsoft Patch Tuesday include BEAST SSL fix

Microsoft’s first batch of patches for 2012 will include fixes for security vulnerabilities in the Windows operating system and Microsoft Developer Tools and Software. The patches will be released next Tuesday (Jan 10, 2012) at approximately 1:00 PM EST.
The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six important bulletins due next Tuesday handle the BEAST SSL issue and various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The BEAST/SSL patch was supposed to have been included in December’s Patch Tuesday release but had been pulled at the last minute due to some testing problems involving a third-party vendor, according to Microsoft. Henry noted that despite all the hype after the BEAST attack tool was released over the summer, attacks exploiting the SSL flaw simply never materialized.
Microsoft issued an out-of-band security update on Dec. 29 to close four serious vulnerabilities in the .NET framework. One of the vulnerabilities could be exploited to launch hash collision attacks on Web applications built on ASP.NET and trigger a denial of service. The .NET patch had originally been scheduled for the January release, but the company moved up the date in order to issue the ASP.NET fix as an emergency patch.The DoS zero-day exists in other Web application frameworks as well. But Microsoft and Apache appear to be the only ones who have addressed the issue to date.
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s