Microsoft Slays the BEAST, and Six Other Patch Tuesday Updates

Happy New Year! We are already at the second Tuesday of 2012, and that means it’s time for the first Patch Tuesday of the year. Microsoft has released a total of seven security bulletins – one ranked as “critical”, with the remaining 6 designated merely as “important”.

Of the six bulletins this month, there are two that stand out: MS12-004 and MS12-006. MS12-004 is a “critical” security bulletin that addresses a vulnerability in Windows Media Player, and MS12-006 patches the flaw exploited by BEAST attacks. MS12-006 was originally slated for the December 2011 Patch Tuesday, but was pulled at the last minute due to conflicts.

As much attention as Beast has gotten, the lack of any attacks with teeth supports Microsoft’s finding that zero day exploits are not the threat they are perceived to be. Paul Henry, security and forensic analyst with Lumension, explains, “It’s interesting to note that despite all of the hype over “The Beast”, attacks have simply never materialized and the issue has retained its “important” classification from Microsoft.”

In addition to the patches, Microsoft also rolled out a new threat classification: Security Feature Bypass. It includes exploits that are not a threat in and of themselves, but if combined with an attack capable of bypassing a security feature — such as disabling UAC, DEP, or ASLR — could pose a significant threat.

First things first, if you were chilling at home for the holidays drinking egg nog and watching football, you need to make sure you roll out the out-of-band patch Microsoft launched at the end of December. There is proof of concept exploit code circulating on the Internet, and actual attacks are probably imminent. Those caught with their proverbial pants down will have nobody to blame but themselves.

Henry stresses that MS12-004 should be next on your list. “Second on your priority list should be the critical Media Player bulletin followed by the remaining important bulletins released today.”

Wolfgang Kandek, CTO of Qualys agrees. In a blog post, he describes the risk behind MS12-004. “The vulnerabilities are relatively easy to trigger and require a specially crafted media input file. Attacks against these vulnerability can be both through e-mail or hosting the media file on a website. They have the potential to be used in a drive-by-download attack.”

It is worth noting, though, that the critical vulnerability in Windows Media Player only affects Windows Vista and Windows XP. Andrew Storms, director of security operations for nCircle, points out, “This bulletin provides yet another reason to upgrade to Windows 7 because those users are not affected by this drive-by exploit.”

Get cracking and get these patches in place. If the ebb and flow pattern of security bulletins during 2011 is any indication, February could be an avalanche.