Microsoft Delivers 7 Fixes in January Security Update

As promised in its advance notification last week, Microsoft released seven security bulletins for this month.

Only one has been deemed "critical," with the remaining described as "important." The critical fix, bulletin MS12-004, addresses two privately reported issues in Windows Media Player that could allow an intruder to carry out a remote code execution attack if a specially designed media file were to be downloaded and opened.

Media players represent easy targets for attackers, according to Marcus Carey, a security researcher at Rapid7.

"This [bulletin] should serve as a reminder that we should expect researchers and attackers to continue to exploit client applications such as media players and browsers," said Carey. "In fact, media players are the target of non-stop fuzzing: the process of throwing the kitchen sink at an application to find where it breaks."

Microsoft's first important item of the month, bulletin MS12-001, is noteworthy for being classified as a "Security Features Bypass." That vulnerability impact designation represents a first for a Microsoft bulletin. This item blocks a reported problem in which an outsider could bypass the SafeSEH features in Microsoft C++ .NET. If exploited, the flaw could allow an attacker to bypass security protocols and load harmful code on a machine.

Many third-party security experts, including Joshua Talbot, a security intelligence manager at Symantec Security Response, believe that this important item should be put at the top of IT's "to-do" list.

"Although only rated important, we actually picked the Assembly Execution Vulnerability as the most severe issue this month," said Talbot. "The vulnerability is due to an oversight that allows an attacker to run malware as soon as a user opens a Word or PowerPoint file. E-mail attachments will probably be the most common attack method in which this vulnerability is exploited."

Another notable bulletin this month includes a fix for a Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0. flaw (bulletin MS12-006) that could be exploited with a toolkit called BEAST, which was demonstrated last September. According to those demonstrating the flaw, an attacker could have malicious code uploaded and executed on a computer within 10 minutes.

In response, Microsoft released Security Advisory 2588513 that documented a possible workaround. The advisory notes that Microsoft is working on a permanent fix. The plan was to release the bulletin in last month's security update, but Microsoft had to pull it at the last moment when it encountered compatibility issues with third-party software.

Three of the four remaining important bulletins target two remote code execution vulnerabilities and one elevation of privilege flaw in Windows, while the final bulletin deals with an information disclosure issue in Microsoft's Anti-Cross Site Scripting (AntiXSS) Library.

Detailed information and suggestions for the deployment of January's security update can be found here. Most of the fixes will require a restart to take effect.

With the arrival of Patch Tuesday, it is also a good time to remind many who might have missed it over the holidays of the out-of-band patch released by Microsoft on Dec. 29. This bulletin addressed three issues with Microsoft's framework for ASP.NET.


About the Author

Chris Paoli is the site producer for and


  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

  • Get More Out of Your Outlook Inbox with TakeNote

    Brien comes across a handy, but imperfect, feature in Outlook that lets you annotate specific e-mails. Its provenance is something of a mystery, though.

  • Microsoft Resumes Rerelease of Windows 10 Version 1809

    Microsoft on Wednesday once more resumed its general rollout of the Windows 10 version 1809 upgrade, also known as the "October 2018 Update."

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.