Microsoft plans big January Patch Tuesday

Mystery of the month, say experts, is what Microsoft means by 'security feature bypass' update

Microsoft today said it would deliver seven security updates next week -- tying the record for January -- to patch eight vulnerabilities in Windows and its developer tools.

But the company declined to confirm that the Jan. 10 slate will include a patch pulled at the last minute a month ago .

One of the seven updates was tagged "critical," the highest threat ranking in Microsoft's four-step system, while the others were marked "important," the second-highest rating, even though some of them could conceivably be exploited by attackers to plant malware on users' PCs.

Altogether, three of the updates were labeled as "remote code execution," meaning they could be used to hijack an unpatched system, Microsoft said in its monthly advance notification.

A twist to this month's Patch Tuesday is Microsoft's classification of one of the updates as "security feature bypass," a label it's never before applied.

"[Security feature bypass]-class issues in themselves can't be leveraged by an attacker," said Angela Gunn, a spokeswoman for the Microsoft Security Response Center, in a post to that group's blog today. "Rather, a would-be attacker would use them to facilitate use of another exploit."

Andrew Storms, director of security operations at nCircle Security, took a shot at deciphering the new category.

"Someone probably discovered a method to either turn off or bypass one of Windows security features that could let an attacker get in easier," said Storms, who said the possibilities of the vulnerable element could range from UAC -- for "user account control," the prompt users must click through to install software, to DEP and ASLR, two important anti-exploit technologies baked into Windows.

In an email, Paul Harvey, a security and forensic analyst with Lumension, flatly said that the security bypass feature (dubbed "SBF" by Microsoft) patch would "update ... Microsoft's SEHOP technology to enhance the defense-in-depth capability that it can afford to legacy applications."

SEHOP, or Structured Exception Handler Overwrite Protection, is a label for an anti-exploit technology that designed to block a now-common hacking technique first described in 2003, according to a Microsoft Security Research & Defense blog post from 2009.

Microsoft added SEHOP defenses to Windows with Vista Service Pack 1 (SP1); it's also inside Windows 7, Server 2008 and Server 2008 R2, although it's disabled by default on Vista and Windows 7, Microsoft says , "for compatibility reasons."

It's possible that Microsoft will enable SEHOP by default in those client editions of Windows with next Tuesday's patch.

Microsoft said it would publish more information about the SBF-related update next week.

The new category doesn't necessarily mean that Microsoft expects a slew of vulnerabilities that fit under the SBF label, said Storms, who had a simpler explanation.

"I think they just had an oddball and they didn't know what to do with it," said Storms. "Rather than try to shove it into an existing category, like remote code execution or elevation of privilege, they thought, 'Why muck with history? Let's just make a new one.'"

Microsoft declined to say whether next week's update tally will include a fix for a long-standing issue in SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 within Windows that was publicized last September by a pair of researchers who built BEAST, or "Browser Exploit Against SSL/TLS," a hacking tool and the first-ever practical exploit of the years-old flaw.

Although a patch for the bug exploited by BEAST was scheduled to ship in December 2011, Microsoft scratched the release at the last moment because German enterprise developer SAP reported compatibility problems.

"Microsoft continues to work with SAP and will release the update through our normal bulletin process," said Dave Forstrom, director of Microsoft's Trustworthy Computing group, today when asked if a BEAST patch was on the docket for next Tuesday.

"It's gonna be in there," said Storms of Microsoft's fix. "It's my understanding that the SAP patch is already out."

The seven updates next week will get 2012 off to a quick start for Microsoft, which has traditionally pushed a small number of updates to users in the year's first month. Microsoft released just two bulletins in January 2011, for example, two in 2010, one in 2009 and two in 2008.

Microsoft will release the seven updates at approximately 1 p.m. ET on Jan. 10.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

More about: Andrew, Apple, AST, Lumension, Microsoft, nCircle, SAP, Topic
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Cybercrime and Hacking, Malware and Vulnerabilities, Microsoft, security
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/205/divx-plus/

DivX Plus

Divx Plus 8 provides you with a Web Player which allows you to watch DivX, AVI and MKV videos in your web brower; you can ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia