Microsoft’s first batch of patches for 2012 will include fixes for security vulnerabilities in the Windows operating system and Microsoft Developer Tools and Software. The patches will be released next Tuesday (Jan 10, 2012) at approximately 1:00 PM EST.
The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six important bulletins due next Tuesday handle the BEAST SSL issue and various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The BEAST/SSL patch was supposed to have been included in December’s Patch Tuesday release but had been pulled at the last minute due to some testing problems involving a third-party vendor, according to Microsoft. Henry noted that despite all the hype after the BEAST attack tool was released over the summer, attacks exploiting the SSL flaw simply never materialized.
Microsoft issued an out-of-band security update on Dec. 29 to close four serious vulnerabilities in the .NET framework. One of the vulnerabilities could be exploited to launch hash collision attacks on Web applications built on ASP.NET and trigger a denial of service. The .NET patch had originally been scheduled for the January release, but the company moved up the date in order to issue the ASP.NET fix as an emergency patch.The DoS zero-day exists in other Web application frameworks as well. But Microsoft and Apache appear to be the only ones who have addressed the issue to date.