Happy New Year and welcome to the first Patch Tuesday of 2012.  This week Microsoft released 7 patches addressing 8 individual vulnerabilities.  One of the patches is flagged by Microsoft as critical, with the rest Important.  This month’s MS patches include the following:


  • (MS12-001) Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)
  • (MS12-002) Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)
  • (MS11-003) Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)
  • (MS12-004) Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
  • (MS12-005) Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)
  • (MS12-006) Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)
  • (MS12-007) Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)


Of these, MS has identified MS12-004 as critical severity.  This vuln could be used by an attacker to exploit a user’s machine by delivering a malicious media file via a web site, email attachment, or other method.  Two others similar vulns (MS12-002 and MS12-005) can be exploited through similar methods, and also deserve early attention.  The remainder are mostly a mixed bag of information disclosure and privilege escalation vulnerabilities.  None has been exploited in the wild to date.


It’s also worth pointing out the last-minute surprise released in the closing days of 2011.  For those of you who were busy celebrating the holidays, you might have missed a last minute lump of coal in your stocking, in the form of an end-of-year out-of-cycle patch released on Dec 29th:


  • (MS11-100) Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)


The primary driver behind this patch was a denial-of-service vulnerability that affects multiple vendors web application server platforms, including Microsoft ASP.NET.  The vulnerability had been publically disclosed, and MS had reason to expect that exploit code would be released shortly that would allow attackers to easily DoS any ASP.NET-based web application.  MS had been working on a few other issues in their .NET framework, and they took the opportunity to patch 3 other vulnerabilities in the .NET framework at the same time.  The release of the patch turned out to be timely, as exploit code was released on the Full Disclosure mailing list on Jan 6th, just 8 days after the out-of-cycle patch release.  While we have yet to see any widespread DoS attacks, it’s helpful to have a head start on addressing a potentially problematic issue like this.


McAfee’s coverage for this month are as follows:


  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 2 out of 8 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 2 out of 8 vulnerabilities this month.
  • McAfee Application Control is expected to provide protection against exploits of 3 out of 8 vulnerabilities this month, plus 2 of 4 of the .NET out-of-cycle vulnerabilities.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 5 out of 8 vulnerabilities this month, plus 1 of the 4 .NET out-of-cycle vulnerabilities.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.


Additional research is being performed on a couple of the vulnerabilities, and coverage may improve over time.  As more details become available, you’ll find them on the McAfee Threat Center.


You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.


Happy patching!