Microsoft Patch Tuesday (January 2012): Media Player and The BEAST

The statisticians over at the Patch Tuesday Farmer's Almanac are saying that 7 bulletins in January ties a record high that we haven't seen since, well, the last time it happened. The Great Buffer Overflow of '99, or something. That was a heck of a thing, it was.

MS12-004 / KB2636391

Vulnerabilities in Windows Media Could Allow Remote Code Execution


The sole Critical bulletin, it affects all supported versions of Windows. Windows 7 and Server 2008 R2 are not affected in their default configurations.

CVE-2012-0004, DirectShow Remote Code Execution Vulnerability

DirectShow is the framework used by Windows to display multimedia content. It's the thing that plays all of c7five's Star Wars cosplay movies when he double-clicks on them from Explorer. Unfortunately for c7five (and fortunately for us) there's a memory corruption condition here. This patch addresses the vulnerability, and in turn, Percoco-Fett.

CVE-2012-0003, MIDI Remote Code Execution Vulnerability

The next time you download that hot John Philip Sousa arrangement, you might want to stop and think. Before this patch, attackers could take over your machine to the tune of Hands Across the Sea, or even The Stars and Stripes Forever. Is nothing sacred?

These are serious vulnerabilities, especially considering that these files can be easily embedded into web pages. Those who use secure mail gateways such as Trustwave's mailMAX might consider blocking MIDI altogether, and similar countermeasures could be put in place using web proxy servers.

Patching is not only recommended, it is essential to anyone who enjoys quality musical accompaniment with his or her websites. And, let's face it, who doesn't?

MS12-001 / KB2644615

Vulnerability in Windows Kernel Could Allow Security Feature Bypass, Important


CVE-2012-0001, Windows Kernel SafeSEH Bypass Vulnerability

The Structured Exception Handler (SEH) is a system used by Windows to handle exceptions (bad things) that happen in both hardware and software. In 2003, David Litchfield demonstrated a way that SEH could be used by attackers to redirect program execution. In very basic terms, this involved changing the exception handler's pointer (where to go when bad things happen) and then making bad things happen so that we go there. This was actually somewhat better than the standard approach, which involved overwriting the stack's "return address" which is harder-to-find on Windows and often a less reliable set of data than an SEH handler.

SafeSEH was created in order to make messing around with the SEH more difficult, and serves as a validation step. If the table doesn't match up with the SEH in memory (i.e. it's been messed with), the program immediately takes its stack and goes home. That's what is supposed to happen, anyway, but this patch deals with a case where SafeSEH wasn't working as it should – in certain instances of binaries created with Microsoft Visual C++ .NET 2003. 

This is an interesting bulletin in that it deals with a "Security Feature Bypass" rather than a vulnerability that directly leads to compromise. An attacker would still need to compromise the application itself somehow in order to modify SEH, it's just that the usual protections for SEH aren't working in the affected executables.

MS12-002 / KB2603381 

Vulnerability in Windows Object Packager Could Allow Remote Code Execution


CVE-2012-0009, Object Packager Insecure Executable Launching Vulnerability

This issue affects Windows XP and Server 2003 only, and deals with the way that packager.exe is called. When needed, packager.exe in the affected versions of Windows will be searched for in the Current Working Directory (CWD) first, before searching locally trusted paths. Attackers could lure an affected system to execute their own packager.exe file if placed on the same file share as a file that required it. The patch fixes this behavior in affected versions.

The most straightforward workaround for this issue is to disable outgoing WebDAV and Windows File Sharing connections. WebDAV is tricky to disable, since it operates on the same ports used for web browsing, but disabling outgoing 139 and 445, which are used by Windows File Sharing, is a good practice in general. WebDAV functionality can be disabled through device configuration, but applying the patch is probably a better alternative at that point.

MS12-003 / KB2646524

Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege


CVE-2012-0005, CSRSS Elevation of Privilege Vulnerability

Affecting Windows XP, 2003, and 2008 R2 (though not the x64 or Itanium versions of the latter),and only systems with a Chinese, Japanese, or Korean system locale, this vulnerability affects the Client/Server Run-time Subsystem (CSRSS). The "inside guy" for getting things done, CSRSS handles functions such as creating processes and threads in user mode (outside of the kernel). It still runs inside the context of System, however, so compromise of CSRSS generally leads to Moments of Eww.

This patch fixes a situation where CSRSS's handling of certain Unicode characters can result in privilege escalation. Local access is required to exploit this vulnerability.

MS12-005 / KB2584146

Vulnerability in Microsoft Windows Could Allow Remote Code Execution


CVE-2012-0013, Assembly Execution Vulnerability

This vulnerability could allow remote code execution and the attacker could be granted with escalated privileges if a end-user opens a malicious Office file embedded with a ClickOnce application.  ClickOnce applications (which use the ".application" file extension) are not considered malicious by default, and Office will not prompt the user before when encountering embedded instances of this file type. These applications have the ability to execute code within the user's security context. The patch addresses this issue by changing how the the Windows Packager checks for unsafe files.

MS12-006 / KB2643584

Vulnerability in SSL/TLS Could Allow Information Disclosure


CVE-2011-3389, SSL and TLS Protocols Vulnerability

In September 2011, BEAST (Browser Exploit Against SSL/TLS), a tool created by Juliano Rizzo and Thai Duong, was used to demonstrate flaws in the CBC encryption algorithm found in the SSL 3.0 and TLS 1.0.  Attackers can exploit the vulnerability by targeting clients visiting websites that are running SSL3/TLS1.0 connections on HTTP servers if any CBC cipher suites are employed. Remember that a man-in-the-middle attack is required for the browser exploit to decrypt HTTPS cookie on the fly.  If successful, the attacker can hijack the session with decrypted information, such as session cookies or other encrypted session requests.

The fix modifies the Windows Secure Channel (SChannel) to negotiate secure HTTPS protocols including TLS 1.1 or higher.

MS12-007 / KB2607664

Vulnerability in Anti-XSS Library Could Allow Information Disclosure


CVE-2012-0007, AntiXSS Library Bypass Vulnerability

This bulletin describes a information disclosure vulnerability affecting websites that use the Anti-Cross Site Library module versions 3.x and 4.0.  A certain combination of characters can be used to bypass this control and perform XSS regardless. Web controls that rely on this library could then be adversely affected if they do not properly sanitize input.

The patch addresses this issue and should be deployed onto any system relying on this Anti-XSS control. In addition, SpiderLabs has deployed a commercial ModSecurity rule for detecting attacks that target this vulnerability.

Thanks to Rob Foggia, John Miller, and Ryan Barnett for their Super Patch Tuesday abilities.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.