Microsoft Security Alert - Critical Product Vulnerability - January 2012 Microsoft Security Bulletin Release

What is the purpose of this alert? This alert is to provide you with an overview of the new security  bulletin(s) being released on January 10, 2012. Security bulletins are released  monthly to resolve critical problem vulnerabilities.  NEW SECURITY BULLETINS Microsoft is releasing the following seven new security bulletins for newly discovered vulnerabilities: Bulletin ID Bulletin ID Maximum Severity Rating Vulnerability Impact Restart Requirement Affected Software MS12-001 Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615) Important Security Feature Bypass Requires restart  Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. MS12-002 Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381) Important Remote Code Execution May require restart Microsoft Windows XP and Windows Server 2003. MS12-003 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524) Important Elevation of Privilege Requires restart Microsoft Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. MS12-004 Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391) Critical Remote Code Execution Requires restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. MS12-005 Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146) Important Remote Code Execution May requires restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. MS12-006 Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584) Important Information Disclosure Requires restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. MS12-007 Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664) Important Information Disclosure May requires restart Microsoft Developer Tools and Software   Note: The list of affected software in the summary table above is an abstract. To see the full list of affected   components please visit the bulletin summary webpage at the link below and review the "Affected   Software" section. Summaries for new bulletin(s) may be found at http://technet.microsoft.com/security/bulletin/MS12-jan. Update the month and also the URL inside the hyperlink and remove this note. Microsoft Windows Malicious Software Removal Tool Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU), and the Download Center. Information on the Microsoft Windows Malicious Software Removal Tool is available at http://support.microsoft.com/?kbid=890830. High Priority Non-Security Updates High priority non-security updates Microsoft releases to be available on Microsoft Update (MU), Windows Update (WU), or Windows Server Update Services (WSUS) will be detailed in the KB article found at http://support.microsoft.com/?id=894199. PUBLIC BULLETIN WEBCAST Microsoft will host a webcast to address customer questions on these bulletins: Title: : Information about Microsoft January Security Bulletins (Level 200) Date: Wednesday, January 11, 2012, 11:00 A.M. Pacific Time (GMT-08:00) URL: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032499498 NEW SECURITY BULLETIN TECHNICAL DETAILS In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle web site at http://support.microsoft.com/lifecycle/. Bulletin Identifier Microsoft Security Bulletin MS12-001 Bulletin Title Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615) Executive Summary This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. The security update addresses the vulnerability by modifying the way that the Windows kernel loads structured exception handling tables. Severity Ratings and Affected Software This security update is rated Important for supported x64-based editions of Windows XP and all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Attack Vectors • An attacker who successfully exploited this vulnerability could bypass the SafeSEH security feature in a software application and then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. Mitigating Factors • Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability. Restart Requirement This update requires a restart. Bulletins Replaced by This Update None Full Details http://technet.microsoft.com/security/bulletin/MS12-001 Bulletin Identifier Microsoft Security Bulletin MS12-002 Bulletin Title Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381) Executive Summary This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file. The security update addresses the vulnerability by correcting a registry key associated with the Windows Object Packager. Severity Ratings and Affected Software This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. Attack Vectors • An attacker could place a legitimate file with an embedded packaged object and a specially crafted executable file in a network share, a UNC, or WebDAV location and then convince the user to open the legitimate file. Mitigating Factors • An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. • The attacker cannot force the user to visit an untrusted remote file system or WebDAV share and open a legitimate file. • The file sharing protocol (SMB) is often disabled on the perimeter firewall. Restart Requirement This update may require a restart. Bulletins Replaced by This Update None Full Details http://technet.microsoft.com/security/bulletin/MS12-002   Bulletin Identifier Microsoft Security Bulletin MS12-003 Bulletin Title Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524) Executive Summary This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. The attacker could then take complete control of the affected system. The security update addresses the vulnerability by changing the way that the Client/Server Run-time Subsystem (CSRSS) processes Unicode characters. Severity Ratings and Affected Software • This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. • All supported editions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability. Attack Vectors • An attacker logs on to the affected system and runs a specially crafted application. Mitigating Factors • This vulnerability can only be exploited on systems configured with a Chinese, Japanese, or Korean system locale. • An attacker must have valid logon credentials and be able to log on locally or remotely to exploit this vulnerability. Restart Requirement This update requires a restart. Bulletins Replaced by This Update MS11-063 Full Details http://technet.microsoft.com/security/bulletin/MS12-003 Bulletin Identifier Microsoft Security Bulletin MS12-004 Bulletin Title Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391) Executive Summary This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted media file. The security update addresses the vulnerabilities by correcting the way that Windows Media Player handles specially crafted MIDI files and the way that DirectShow parses media files. Severity Ratings and Affected Software • This security update is rated Critical for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. • This security update is rated Important for all supported editions of Windows Media Center TV Pack for Windows Vista, Windows 7, and Windows Server 2008 R2. Attack Vectors • In an email attack scenario, an attacker could exploit the vulnerability by sending a user an email message containing a specially crafted media file and convincing the user to open the media file. • In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted media file. Mitigating Factors • Email scenario: The malicious file could be sent as an email attachment, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability. • Web scenario: An attacker would have no way to force users to visit a website hosting the specially crafted media file. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that directs them to the attacker's website. • An attacker who successfully exploited the vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Restart Requirement This update requires a restart. Bulletins Replaced by This Update MS10-033 Full Details http://technet.microsoft.com/security/bulletin/MS12-004 Bulletin Identifier Microsoft Security Bulletin MS12-005 Bulletin Title Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146) Executive Summary This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application. The security update addresses the vulnerability by changing the way that Windows Packager checks for unsafe files. Severity Ratings and Affected Software This security update is rated Important for all supported releases of Microsoft Windows. Attack Vectors • In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Microsoft Office file with an embedded ClickOnce application to the user and convincing the user to open the file. • In a web-based attack scenario, an attacker would have to host a website that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. Mitigating Factors • An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link that takes them to the attacker's site, and then convince them to open the specially crafted file. • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Restart Requirement This update may require a restart. Bulletins Replaced by This Update None Full Details http://technet.microsoft.com/security/bulletin/MS12-005 Bulletin Identifier Microsoft Security Bulletin MS12-006 Bulletin Title Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584) Executive Summary This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. The security update addresses the vulnerability by modifying the way that the Windows Secure Channel (SChannel) component sends and receives encrypted network packets. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2588513. Severity Ratings and Affected Software This security update is rated Important for all supported releases of Microsoft Windows. Attack Vectors • An attacker could inject malicious code in an HTTP response or host a specially crafted website containing malicious code, forcing the browser to execute this malicious code. This code sends several requests, inside the same TLS/SSL session, to a third-party HTTPS website, where cookies are sent automatically if a previous authenticated session exists. This is a required condition in order to exploit this vulnerability. The attacker needs to be able to intercept this HTTPS traffic in order to exploit this vulnerability in SSL, resulting in the possibility to decrypt portions of the encrypted traffic (for example, authentication cookies). Mitigating Factors • TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. Restart Requirement This update requires a restart. Known Issues Known Issues. Microsoft Knowledge Base Article 2643584 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues. Answers to Common Questions Q: How is this security update related to MS11-099? A: In order to be protected from the web-based attack vector through Internet Explorer for the SSL and TLS Protocols Vulnerability (CVE-2011-3389) as described in this bulletin, customers must install both this update, MS12-006, and the Cumulative Security Update for Internet Explorer, MS11-099. Two different updates are needed because the modifications that are required to address the issue are located in different Microsoft products. This update, MS12-006, addresses the vulnerability affecting WinHTTP and provides the possibility to enable the protection system-wide. The MS11-099 update enables these protections for Internet Explorer. Q: Why does this bulletin contain two updates for Windows XP Professional x64 Edition Service Pack 2 and Windows Server 2003 operating systems? A: This bulletin contains two updates, identified by package KB number, for Windows XP Professional x64 Edition Service Pack 2 and Windows Server 2003 operating systems, as specified in the Affected Software table. The two updates are necessary because the modifications that are required to address the vulnerability in Windows XP Professional x64 Edition Service Pack 2 and Windows Server 2003 operating systems are located in separate components. Bulletins Replaced by This Update MS10-049, MS10-085, and MS10-095. Full Details http://technet.microsoft.com/security/bulletin/MS12-006 Bulletin Identifier Microsoft Security Bulletin MS12-007 Bulletin Title Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664) Executive Summary This security update resolves one privately reported vulnerability in the Microsoft Anti-Cross Site Scripting (AntiXSS) Library. The vulnerability could allow information disclosure if an attacker passes a malicious script to a website using the sanitization function of the AntiXSS Library. The consequences of the disclosure of that information depends on the nature of the information itself. The update addresses the vulnerability by upgrading the AntiXSS Library to a version that is not affected by the vulnerability. Severity Ratings and Affected Software This security update is rated Important for the AntiXSS Library V3.x and the AntiXSS Library V4.0. Attack Vectors • An attacker could send specially crafted HTML to a target website that is using the sanitization module of the AntiXSS Library. When the AntiXSS Library incorrectly sanitizes the HTML, malicious script contained within the specially crafted HTML could be run on the affected web server. Mitigating Factors • Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability. • This vulnerability would not allow an attacker to execute code or to elevate the attacker's user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. Restart Requirement This update may require a restart. Bulletins Replaced by This Update None Full Details http://technet.microsoft.com/security/bulletin/MS12-007 REGARDING INFORMATION CONSISTENCY We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft's security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft's web-based security content, the information in Microsoft’s web-based security content is authoritative. If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant. Thank you, Microsoft CSS Security Team