Happy New Year to all! Given the complete lack of out-of-band patches (security or otherwise) and the sparseness of the nonsecurity patches, it looks like the Microsoft folks had a relaxing December. Watch out for MS12-006, as the patch changes the way encryption is done, and some older or out-of-date software packages and Web sites may not be able to perform encryption after the patch is installed.
Security PatchesMS12-001/KB2644615 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): Certain applications (those made with Visual C++ .NET 2003) can be created to circumvent security features and run arbitrary code. Install this patch at your usual time. MS12-002/KB2603381 - Important (XP, 2003): This patch addresses a remove code execution error, one of those where code in a DLL on a network share can be run. In this case, the attack vector is embedded packaged objects. Install this patch on your typical schedule. MS12-003/KB2646524 - Important (XP, Vista, 2003, 2008): A flaw in the client/server runtime subsystem (CSRSS) can allow a user running a local application to escalate their privileges. Because the attack involves a locally logged-on use, the patch can wait until your normal patch time. MS12-004/KB2636391 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): Media files can contain attack code to exploit a remote code execution vulnerability. Given the nature of this attack, you will want to install the patch immediately. MS12-005/KB2584146 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): Office files with ClickOnce applications embedded in them are vulnerable to a remote code execution attack that runs with the locally logged-on user's rights. Microsoft is calling this "important" due to the need for user action and the rights restriction, but I recommend that you install it as soon as you can due to the widespread nature of Office files. After installing the patch, you will see a warning when running these kinds of objects from OLE documents. MS12-006/KB2643584 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): Known issues with the SSL 3.0 and TLS 1.0 protocols (critical protocols for Web security) can allow attackers to decode intercepted communications. This patch fixes the issue. Note that the vulnerability is in the protocols themselves, and OSs other than Windows are affected too. You may want to install the patch quickly, due to the relative ease of intercepting traffic on wireless networks. There are a number of known issues with the patch, and you may find that some sites no longer work once you have installed it. MS12-007/KB2607664 - Important (Anti-Cross Site Scripting Library 3.X and 4.0): Software using the Anti-Cross Site Scripting (AntiXSS) library are vulnerable to an information disclosure attack. Install this patch on schedule.
Other UpdatesKB2632503 - Fix for problems looping over large arrays in Jscript 5.8 (IE 8, IE 9, Windows Script Host). KB2636573 - Fix for the guest OS crashing when performing a live migration of Hyper-V VMs with 2008 R2.
Changed, but not significantly: None.
Updates since the last Patch Tuesday
- There were no security updates released out-of-band.
- Minor items added or updated since the last Patch Tuesday: none.
- Changed, but not significantly: None.
Justin James is the Lead Architect for Conigent.