Microsoft Security Alert - Critical Product Vulnerability - January 2012 Microsoft Security Bulletin Release


http://image.email.microsoftemail.com/lib/ffcf14/m/1/spacer.gif
http://image.email.microsoftemail.com/lib/ffcf14/m/1/spacer.gif




What is the purpose of this alert?


This alert is to provide you with an overview of the new security 
bulletin(s) being released on January 10, 2012. Security bulletins are released 
monthly to resolve critical problem vulnerabilities. 
























































NEW SECURITY BULLETINS





Microsoft is releasing the following seven new security bulletins for newly discovered vulnerabilities:
Bulletin ID
Bulletin ID
Maximum Severity Rating
Vulnerability Impact
Restart Requirement
Affected Software
Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)
Important
Security Feature Bypass
Requires restart






 Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)
Important
Remote Code Execution
May require restart
Microsoft Windows XP and Windows Server 2003.
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)
Important
Elevation of Privilege
Requires restart
Microsoft Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
Critical
Remote Code Execution
Requires restart
Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)
Important
Remote Code Execution
May requires restart
Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)
Important
Information Disclosure
Requires restart
Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)
Important
Information Disclosure
May requires restart
Microsoft Developer Tools and Software


  Note: The list of affected software in the summary table above is an abstract. To see the full list of affected
  components please visit the bulletin summary webpage at the link below and review the "Affected
  Software" section.





Summaries for new bulletin(s) may be found at http://technet.microsoft.com/security/bulletin/MS12-jan.
Update the month and also the URL inside the hyperlink and remove this note.

Microsoft Windows Malicious Software Removal Tool
Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU), and the Download Center. Information on the Microsoft Windows Malicious Software Removal Tool is available at http://support.microsoft.com/?kbid=890830.
High Priority Non-Security Updates
High priority non-security updates Microsoft releases to be available on Microsoft Update (MU), Windows Update (WU), or Windows Server Update Services (WSUS) will be detailed in the KB article found at http://support.microsoft.com/?id=894199.





PUBLIC BULLETIN WEBCAST






Microsoft will host a webcast to address customer questions on these bulletins:

Title: : Information about Microsoft January Security Bulletins (Level 200)
Date: Wednesday, January 11, 2012, 11:00 A.M. Pacific Time (GMT-08:00)
URL: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032499498





NEW SECURITY BULLETIN TECHNICAL DETAILS


In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle web site at http://support.microsoft.com/lifecycle/.

Bulletin Identifier
Microsoft Security Bulletin MS12-001
Bulletin Title
Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)
Executive Summary
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code.

The security update addresses the vulnerability by modifying the way that the Windows kernel loads structured exception handling tables.
Severity Ratings and Affected Software
This security update is rated Important for supported x64-based editions of Windows XP and all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Attack Vectors
An attacker who successfully exploited this vulnerability could bypass the SafeSEH security feature in a software application and then use other vulnerabilities to leverage the structured exception handler to run arbitrary code.
Mitigating Factors
Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability.
Restart Requirement
This update requires a restart.
Bulletins Replaced by This Update
None
Full Details



Bulletin Identifier
Microsoft Security Bulletin MS12-002
Bulletin Title
Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)
Executive Summary
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file.

The security update addresses the vulnerability by correcting a registry key associated with the Windows Object Packager.
Severity Ratings and Affected Software
This security update is rated Important for all supported editions of Windows XP and Windows Server 2003.
Attack Vectors
An attacker could place a legitimate file with an embedded packaged object and a specially crafted executable file in a network share, a UNC, or WebDAV location and then convince the user to open the legitimate file.
Mitigating Factors
An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The attacker cannot force the user to visit an untrusted remote file system or WebDAV share and open a legitimate file.
The file sharing protocol (SMB) is often disabled on the perimeter firewall.
Restart Requirement
This update may require a restart.
Bulletins Replaced by This Update
None
Full Details



Bulletin Identifier
Microsoft Security Bulletin MS12-003
Bulletin Title
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)
Executive Summary
This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. The attacker could then take complete control of the affected system.

The security update addresses the vulnerability by changing the way that the Client/Server Run-time Subsystem (CSRSS) processes Unicode characters.
Severity Ratings and Affected Software
This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
All supported editions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability.
Attack Vectors
An attacker logs on to the affected system and runs a specially crafted application.
Mitigating Factors
This vulnerability can only be exploited on systems configured with a Chinese, Japanese, or Korean system locale.
An attacker must have valid logon credentials and be able to log on locally or remotely to exploit this vulnerability.
Restart Requirement
This update requires a restart.
Bulletins Replaced by This Update
MS11-063
Full Details



Bulletin Identifier
Microsoft Security Bulletin MS12-004
Bulletin Title
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
Executive Summary
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted media file.

The security update addresses the vulnerabilities by correcting the way that Windows Media Player handles specially crafted MIDI files and the way that DirectShow parses media files.
Severity Ratings and Affected Software
This security update is rated Critical for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
This security update is rated Important for all supported editions of Windows Media Center TV Pack for Windows Vista, Windows 7, and Windows Server 2008 R2.
Attack Vectors
In an email attack scenario, an attacker could exploit the vulnerability by sending a user an email message containing a specially crafted media file and convincing the user to open the media file.
In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted media file.
Mitigating Factors
Email scenario: The malicious file could be sent as an email attachment, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability.
Web scenario: An attacker would have no way to force users to visit a website hosting the specially crafted media file. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that directs them to the attacker's website.
An attacker who successfully exploited the vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Restart Requirement
This update requires a restart.
Bulletins Replaced by This Update
MS10-033
Full Details



Bulletin Identifier
Microsoft Security Bulletin MS12-005
Bulletin Title
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)
Executive Summary
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application.

The security update addresses the vulnerability by changing the way that Windows Packager checks for unsafe files.
Severity Ratings and Affected Software
This security update is rated Important for all supported releases of Microsoft Windows.
Attack Vectors
In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Microsoft Office file with an embedded ClickOnce application to the user and convincing the user to open the file.
In a web-based attack scenario, an attacker would have to host a website that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.
Mitigating Factors
An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link that takes them to the attacker's site, and then convince them to open the specially crafted file.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Restart Requirement
This update may require a restart.
Bulletins Replaced by This Update
None
Full Details



Bulletin Identifier
Microsoft Security Bulletin MS12-006
Bulletin Title
Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)
Executive Summary
This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system.

The security update addresses the vulnerability by modifying the way that the Windows Secure Channel (SChannel) component sends and receives encrypted network packets.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2588513.
Severity Ratings and Affected Software
This security update is rated Important for all supported releases of Microsoft Windows.
Attack Vectors
An attacker could inject malicious code in an HTTP response or host a specially crafted website containing malicious code, forcing the browser to execute this malicious code. This code sends several requests, inside the same TLS/SSL session, to a third-party HTTPS website, where cookies are sent automatically if a previous authenticated session exists. This is a required condition in order to exploit this vulnerability. The attacker needs to be able to intercept this HTTPS traffic in order to exploit this vulnerability in SSL, resulting in the possibility to decrypt portions of the encrypted traffic (for example, authentication cookies).
Mitigating Factors
• TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
Restart Requirement
This update requires a restart.
Known Issues
Known Issues. Microsoft Knowledge Base Article 2643584 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.
Answers to Common Questions
Q: How is this security update related to MS11-099?
A: In order to be protected from the web-based attack vector through Internet Explorer for the SSL and TLS Protocols Vulnerability (CVE-2011-3389) as described in this bulletin, customers must install both this update, MS12-006, and the Cumulative Security Update for Internet Explorer, MS11-099.
Two different updates are needed because the modifications that are required to address the issue are located in different Microsoft products. This update, MS12-006, addresses the vulnerability affecting WinHTTP and provides the possibility to enable the protection system-wide. The MS11-099 update enables these protections for Internet Explorer.

Q: Why does this bulletin contain two updates for Windows XP Professional x64 Edition Service Pack 2 and Windows Server 2003 operating systems?
A: This bulletin contains two updates, identified by package KB number, for Windows XP Professional x64 Edition Service Pack 2 and Windows Server 2003 operating systems, as specified in the
Affected Software table. The two updates are necessary because the modifications that are required to address the vulnerability in Windows XP Professional x64 Edition Service Pack 2 and Windows Server 2003 operating systems are located in separate components.
Bulletins Replaced by This Update
MS10-049, MS10-085, and MS10-095.
Full Details



Bulletin Identifier
Microsoft Security Bulletin MS12-007
Bulletin Title
Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)
Executive Summary
This security update resolves one privately reported vulnerability in the Microsoft Anti-Cross Site Scripting (AntiXSS) Library. The vulnerability could allow information disclosure if an attacker passes a malicious script to a website using the sanitization function of the AntiXSS Library. The consequences of the disclosure of that information depends on the nature of the information itself.

The update addresses the vulnerability by upgrading the AntiXSS Library to a version that is not affected by the vulnerability.
Severity Ratings and Affected Software
This security update is rated Important for the AntiXSS Library V3.x and the AntiXSS Library V4.0.
Attack Vectors
An attacker could send specially crafted HTML to a target website that is using the sanitization module of the AntiXSS Library. When the AntiXSS Library incorrectly sanitizes the HTML, malicious script contained within the specially crafted HTML could be run on the affected web server.
Mitigating Factors
Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.
This vulnerability would not allow an attacker to execute code or to elevate the attacker's user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.
Restart Requirement
This update may require a restart.
Bulletins Replaced by This Update
None
Full Details

REGARDING INFORMATION CONSISTENCY


We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft's security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft's web-based security content, the information in Microsoft’s web-based security content is authoritative.

If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.

Thank you,
Microsoft CSS Security Team







http://image.email.microsoftemail.com/lib/ffcf14/m/1/spacer.gif
http://image.email.microsoftemail.com/lib/ffcf14/m/1/spacer.gif

Comments