January 2012 Microsoft Patches

Happy New Year, and here are the first significant Microsoft security patches for 2012.

This month’s patch batch contains 7 new Microsoft Security Bulletins.


Windows Kernel   SafeSEH Bypass Vulnerability MS12-001 Introduces a new “Security Impact” type to the Microsoft Bulletins, “Security Feature Bypass”. This issue is a bypass of the SafeSEH setting on software compiled with Microsoft Visual C++ .NET 2003. In order to make use of it, there must also be a vulnerability in your compiled software. The bypass exists within Windows, and compiled software will not need to be recompiled.


Object Packager   Insecure Executable Launching Vulnerability MS12-002 Similar to the DLL preloading attack, except with Executables rather than DLLs, which means SafeDllSearchMode cannot help mitigate this issue. The issue applies to Microsoft Publisher (.PUB) files, where an attacker could place a malicious file in the same directory as a .PUB file.


CSRSS Elevation of Privilege Vulnerability MS12-003 Affects the Windows Client Server Runtime Subsystem (CSRSS) on double-byte (Unicode) locale (such as Chinese, Japanese, or Korean system locales). Keep in mind that the locale on any system can be changed, so this patch should be applied regardless of the current locale.


DirectShow Remote Code Execution Vulnerability MS12-004  This patch contains two fixes for all except Windows 7 systems. One for DirectShow.
MIDI Remote Code Execution Vulnerability One for the Windows Multimedia Library.  This is the only critical patch for the month, providing a potential drive-by vector related to MIDI files.


Assembly Execution   Vulnerability MS12-005 This patch fixes an issue related to malicious EXEs deployed as a ClickOnce application and embedded within Office Documents.


SSL and TLS   Protocols Vulnerability MS12-006 This patch fixes the well known “BEAST” vulnerability. Apply this patch as soon as possible.


AntiXSS Library  Bypass Vulnerability MS12-007 This patch resolves a bypass in the Microsoft AntiXSS Library similar to MS12-001. Although this should be in the new “Security Feature Bypass” category, the impact is considered Information Disclosure. Again when combined with a flaw in the website that lies behind the AntiXSS library, this vulnerability could be dangerous.

As always, these patches should be tested and implemented as quickly as possible.