Security

It's Microsoft Patch Tuesday: January 2012

Justin James gathers the information you need to make the right deploy decision when applying Microsoft's January 2012 patches in your organization.

Happy New Year to all! Given the complete lack of out-of-band patches (security or otherwise) and the sparseness of the nonsecurity patches, it looks like the Microsoft folks had a relaxing December. Watch out for MS12-006, as the patch changes the way encryption is done, and some older or out-of-date software packages and Web sites may not be able to perform encryption after the patch is installed.

This blog post is also available in PDF format in a TechRepublic download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS12-001/KB2644615 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): Certain applications (those made with Visual C++ .NET 2003) can be created to circumvent security features and run arbitrary code. Install this patch at your usual time. MS12-002/KB2603381 - Important (XP, 2003): This patch addresses a remove code execution error, one of those where code in a DLL on a network share can be run. In this case, the attack vector is embedded packaged objects. Install this patch on your typical schedule. MS12-003/KB2646524 - Important (XP, Vista, 2003, 2008): A flaw in the client/server runtime subsystem (CSRSS) can allow a user running a local application to escalate their privileges. Because the attack involves a locally logged-on use, the patch can wait until your normal patch time. MS12-004/KB2636391 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): Media files can contain attack code to exploit a remote code execution vulnerability. Given the nature of this attack, you will want to install the patch immediately. MS12-005/KB2584146 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): Office files with ClickOnce applications embedded in them are vulnerable to a remote code execution attack that runs with the locally logged-on user's rights. Microsoft is calling this "important" due to the need for user action and the rights restriction, but I recommend that you install it as soon as you can due to the widespread nature of Office files. After installing the patch, you will see a warning when running these kinds of objects from OLE documents. MS12-006/KB2643584 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): Known issues with the SSL 3.0 and TLS 1.0 protocols (critical protocols for Web security) can allow attackers to decode intercepted communications. This patch fixes the issue. Note that the vulnerability is in the protocols themselves, and OSs other than Windows are affected too. You may want to install the patch quickly, due to the relative ease of intercepting traffic on wireless networks. There are a number of known issues with the patch, and you may find that some sites no longer work once you have installed it. MS12-007/KB2607664 - Important (Anti-Cross Site Scripting Library 3.X and 4.0): Software using the Anti-Cross Site Scripting (AntiXSS) library are vulnerable to an information disclosure attack. Install this patch on schedule.

Other Updates

KB2632503 - Fix for problems looping over large arrays in Jscript 5.8 (IE 8, IE 9, Windows Script Host). KB2636573 - Fix for the guest OS crashing when performing a live migration of Hyper-V VMs with 2008 R2.

"The Usual Suspects": Updates to the Malicious Software Removal Tool and the Junk Email Filter.

Changed, but not significantly: None.

Updates since the last Patch Tuesday

  • There were no security updates released out-of-band.
  • Minor items added or updated since the last Patch Tuesday: none.
  • Changed, but not significantly: None.

About

Justin James is the Lead Architect for Conigent.

11 comments
gpopkey
gpopkey

I too run Windows XP Pro and according to the advance notification, I was supposed to receive updates identified as MS12-004 (KB2636391 (Critical)), MS12-001 (KB2644615), MS12-002 (KB2603381), MS12-003 (2646524), MS12-005 (KB2584146), MS12-006 (KB2643584), MS12-007 (KB2607664). I received only the following of this list: MS12-002, MS12-003, and MS12-005. However I received the following in addition to the 3 above: KB2598479, KB2585542, KB2631813 and KB2597098 plus updates for MSRT and Windows Defender. What happened to the critical update? Why did it not install? Why was it not required on my computer? What happened to the others listed in the first paragraph? My computer continues to function satisfactorily and Microsoft Update seems to work satisfactorily but there appears to be some information withheld by Microsoft re whether some installations need to install the updates. I find the missing updates confusing. Maybe I am missing something but how do I find out what I am missing. Rerunning Microsoft Update just informs me there are no further updates to install.

davidjbell
davidjbell

This is not the first time a Patch Tuesday update has cleared some of my stored website logins; what a pain having to lookup all the IDs and passwords again.

?/\/\?|???\/???
?/\/\?|???\/???

===== Updates since the last Patch Tuesday There were no security updates released out-of-band. ===== MS11-100 covering CVEs 2011-3414 through 3417?

Gisabun
Gisabun

KB2632503 is for IE8 as IE9 has it included in the IE9 patch in December.

Who Am I Really
Who Am I Really

They never show up on Tuesday anymore; 7 different XP Pro systems and even the win7 netbook is just standing there with no new updates available yet my systems are configured for DL & notify but I haven't seen any actual DL on crash Tuesday for several months now .

Mark W. Kaelin
Mark W. Kaelin

Are the Microsoft patches giving you trouble this month? Maybe your peers can help - describe the problems you are having.

Justin James
Justin James

Sorry I missed that, you are right. They didn't have it listed in the chronological list from 2011. :( J.Ja

gbravin
gbravin

I have one pc only, and run Windows XP Professional. Usually MS warns me about their delivery. This time they didn't. When I wanted to turn off my pc, it has taken half an hour, to upgrade 6 patches, and then went off. The following morning, my pc upgraded another patch for ten minutes. MS Staff forgets that are the customers to pay their wages, but they forget this. Next time I will switch to Linux!

Justin James
Justin James

I've had the same thing happen to me. What's interesting is that my WSUS server for work always gets the updates by the time my article publishes (sometimes they'll come in as I'm writing it), and it syncs 4 or 6 times a day (I like to get the spam/virus definitions in... often and plenty...). My *suspicion* is that a) desktops don't check too often or b) they are checking a server that is a few rungs down the tree compared to what WSUS servers sync from, so it takes a bit longer to be available to consumer systems. Both theories are 100% pure conjecture on my part. J.Ja

charleswdavis6670
charleswdavis6670

gbravin, Microsoft employees work to create the security patches to keep their customers less exposed to those that would do harm to your computer.

Who Am I Really
Who Am I Really

when I do a fresh install (XP-Pro) it's all too eager to flood MS servers with requests to get updates and the first batch of 120+ XP updates comes down no problem - starting DL within seconds of the "update to windows update" it's after that when they stop arriving on time not exactly sure how long ago the problem started (at least 7 or 8 months ago now) but it only manifests after the all the previous updates are installed if I don't finish installing the previous updates they just keep coming down and are added to the list of available updates (I set update to DL & notify and then install individually) if I don't get them on the win7 netbook soon, I'm probably going to take it into the office to see if the updates come down on the customer access free wi-fi .

Editor's Picks