January 2012 Patch Tuesday Overview
Microsoft is starting off the new year with seven new security bulletins released for the January 2012 Patch Tuesday. These seven new security bulletins address eight vulnerabilities.
The primary bulletin administrators should patch first is MS12-004. This security bulletin addresses two vulnerabilities with Windows Media types. Opening a malicious media or MIDI file on an unpatched system could allow an attacker to gain full control of the system. As media files are extremely popular for viewing and sharing, administrators should patch this bulletin on their workstation machines as soon as possible. It is important to note that newer operating systems (Windows 7, Windows 2008 R2) are not affected by one of the vulnerabilities. These machines will only show one patch missing whereas older Microsoft operating systems (Windows XP, Vista, 2003, 2008) will require two patches to fully fix the vulnerabilities in this security bulletin.
Administrators were given a last minute 2011 holiday surprise with an out-of-band security bulletin release from Microsoft. On December 29th, Microsoft released MS11-100 to address a critical zero-day vulnerability with the Microsoft .NET program. This vulnerability had the exploit code published and the bulletin could not wait until the regularly scheduled Patch Tuesday for release. The vulnerability had a particularly nasty affect on web servers running ASP.NET web pages. If successfully exploited, an attacker could create a denial of service attack on any web site running the vulnerable code. Most administrators patched their web servers immediately with this security bulletin but chose to wait to patch all desktops and non-public facing web servers until the next scheduled Patch Tuesday.
On the non-Microsoft front, Adobe is planning to release their quarterly security bulletin update today with security bulletin APSB12-01. This security update will apply to Adobe Acrobat/Reader versions 9 and 10. The update for Adobe Reader/Acrobat 10 will contain the fixes for a previously released security bulletin for Adobe Acrobat/Reader 9.
On December 16, 2011, Adobe released a security bulletin (APSB11-30) that patched a critical security vulnerability in the Adobe Acrobat/Reader version 9 program. This vulnerability was a zero-day vulnerability that Adobe had received reported active attacks against the vulnerability. Adobe has waited until today to patch version 10 of their products as this version contains a Protected Mode that will prevent the vulnerability from being exploited.
- Jason Miller