Microsoft issued seven security bulletins, including one “critical†bulletin, repairing a serious Windows Media Player flaw that may be exploited in dangerous drive-by website attacks.
The vulnerability is because of an oversight that permits an attacker to run malware once a user opens a Word or PowerPoint file.Joshua Talbot, security intelligence manager, Symantec
The software giant repaired eight vulnerabilities in its January 2012 Patch Tuesday round of patches. The update also addresses a publicly disclosed vulnerability in SSL/TLS implementations. The SSL/TLS weakness could enable an attacker to intercept encrypted Web traffic on Web servers using SSL 3.0 and TLS 1.0 protocols.
The Windows Media flaws affect Windows Media Player, Â Microsoft Windows Media Libraries and Microsoft DirectShow, the applying program interface (API) designed to enable streaming media in Windows, Microsoft said in its MS12-04 security bulletin.
An attacker could exploit among the many flaws by getting an individual to run a malicious MIDI file using Windows Media Player. It's utilized in drive-by attacks or sent via instant message or as an email attachment, Microsoft said. Any malicious media file can be utilized to take advantage of the DirectShow error, that's a weakness within the way DirectShow parses media files, however the user has to have closed captioning enabled. The update applies to all supported versions of Windows, including Windows 7. It's labeled “critical†for users of Windows XP, Vista and Windows Server 2003 and 2008.Â
Wolfgang Kandek, CTO of Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc. said the MIDI flaw in Windows Media Player needs to be given the top priority because it may be utilized by attackers in drive-by attacks apart from email attachments.
“The MIDI one plays without the user opening a file or installing a codec, so it's particularly serious,†Kandek said. “I think the closed captioning shows there's such a lot of things in these media players that they've to interpret and these kinds of features are great, but they pose another path for attackers.â€
The SSL/TLS flaw, which was disclosed last September on the Ekoparty Security Conference in Buenos Aires, allows an attacker to snoop on encrypted sessions. In keeping with Microsoft's MS12-006 security bulletin, that is identified as an “important†update, the vulnerability is inside the protocol itself and isn't specific to the Windows operating system. On the conference, independent security researcher Juliano Rizzo and Thai Duong demonstrated a device called BEAST to decrypt and obtain authentication tokens and cookies from HTTPS requests by exploiting the SSL error. Both researchers have also been pushing for a brand new XML encryption standard. The Microsoft update applies to all supported versions of Windows.
A Windows error addressed inside the MS12-005 security bulletin is rated “important,†but a minimum of one vulnerability expert, Joshua Talbot, security intelligence manager at Symantec Security Response, said the patch deserves to realize extra attention since it could be easily exploited. The mistake, in Windows .NET, could be exploited remotely using a Microsoft Office Word or PowerPoint document that includes a malicious embedded ClickOnce application. ClickOnce refers to self-updating Windows-based applications that may be installed and run with minimal user interaction. The update, which affects all supported versions of Windows, fixes the way Windows Packager loads ClickOnce applications.
“The vulnerability is due to an oversight that allows an attacker to run malware as soon as a user opens a Word or PowerPoint file,†Talbot said in a statement. “Email attachments will probably be the most common attack method in which this vulnerability is exploited.â€
The vulnerability has an Exploitability Index of 1, meaning that attackers can quickly develop an exploit to target the vulnerability, but Jason Miller, manager of research and development at Palo Alto, Calif.-based virtualization vendor VMware Inc., said attackers would first have to learn how to build ClickOnce applications.
“I see them staying with cross-site scripting and other stuff they're used to doing,†Miller said. “ClickOnce is becoming more prevalent especially as adoption of cloud-based services increases, but for now I don't see this as a major threat.â€
The other updates, all rated “important,†address a variety of Windows errors, including MS12-001, which addresses a Security Feature Bypass vulnerability, MS12-003, a Windows error that enables an attacker to gain elevated privileges, and MS12-002, which affects the best way a valid file with an embedded packaged object functions in Windows.
Nessun commento:
Posta un commento
Comments links could be nofollow free