January 2012 Patch Tuesday Overview

Microsoft is starting off the new year with seven new security bulletins released for the January 2012 Patch Tuesday.  These seven new security bulletins address eight vulnerabilities.

The primary bulletin administrators should patch first is MS12-004.  This security bulletin addresses two vulnerabilities with Windows Media types.  Opening a malicious media or MIDI file on an unpatched system could allow an attacker to gain full control of the system.  As media files are extremely popular for viewing and sharing, administrators should patch this bulletin on their workstation machines as soon as possible.  It is important to note that newer operating systems (Windows 7, Windows 2008 R2) are not affected by one of the vulnerabilities.  These machines will only show one patch missing whereas older Microsoft operating systems (Windows XP, Vista, 2003, 2008) will require two patches to fully fix the vulnerabilities in this security bulletin.

Administrators were given a last minute 2011 holiday surprise with an out-of-band security bulletin release from Microsoft.  On December 29th, Microsoft released MS11-100 to address a critical zero-day vulnerability with the Microsoft .NET program.  This vulnerability had the exploit code published and the bulletin could not wait until the regularly scheduled Patch Tuesday for release.  The vulnerability had a particularly nasty affect on web servers running ASP.NET web pages.  If successfully exploited, an attacker could create a denial of service attack on any web site running the vulnerable code.  Most administrators patched their web servers immediately with this security bulletin but chose to wait to patch all desktops and non-public facing web servers until the next scheduled Patch Tuesday.

On the non-Microsoft front, Adobe is planning to release their quarterly security bulletin update today with security bulletin APSB12-01.  This security update will apply to Adobe Acrobat/Reader versions 9 and 10.  The update for Adobe Reader/Acrobat 10 will contain the fixes for a previously released security bulletin for Adobe Acrobat/Reader 9.

On December 16, 2011, Adobe released a security bulletin (APSB11-30) that patched a critical security vulnerability in the Adobe Acrobat/Reader version 9 program.  This vulnerability was a zero-day vulnerability that Adobe had received reported active attacks against the vulnerability.  Adobe has waited until today to patch version 10 of their products as this version contains a Protected Mode that will prevent the vulnerability from being exploited.

– Jason Miller

January 2012 Patch Tuesday Advanced Notification

Microsoft is kicking off the 2012 year with seven new Microsoft Security Bulletins.  Just announced in their advanced notification for the January 2012 Patch Tuesday, these seven security bulletins will address eight vulnerabilities.

Security Bulletin Breakdown:

  • 1 bulletin is rated as Critical
  • 6 bulletins are rated as Important
  • 3 vulnerabilities could lead to Remote Code Execution
  • 1 vulnerability could lead to Security Feature Bypass
  • 2 vulnerabilities could lead to Information Disclosure
  • 1 vulnerability could lead to Elevation of Privilege

Affected Products:

  • All supported Microsoft Operating Systems
  • Microsoft Developer Tools and Software

 

This Tuesday will also be a good chance to install the out-of-band security update (MS11-100) on your desktop systems.  This out-of-band security update was released last Thursday (12/29/11) and should already be applied to your public facing web servers.

This January Patch Tuesday will also mark the Adobe Quarterly Security update release.  Adobe has already stated they will be releasing security udpates for their Adobe Reader and Acrobat 10 product lines.  We will have to wait to see what other security patches Adobe may be releasing on Patch Tuesday.

As this marks a light Patch Tuesday, you can see that a lot of work will be greeting administrators from their holiday vacation season.

– Jason Miller