Microsoft's 2012 kick-off features 7 security bulletins

[JMH]

Microsoft plans to start 2012 with a surprisingly large Patch Tuesday that covers seven security bulletins which collectively address eight separate vulnerabilities. Previous January releases have normally featured only one or two bulletins.

The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six "important" bulletins due next Tuesday handle the BEAST SSL issue and various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The "important" rather than critical status for the Beast SSL issue is at least debatable.

http://www.theregister.co.uk/2012/01/06/patch_tuesday_pre_alert_jan_2012/

January 2012 Patch Tuesday Preview - The Laws of Vulnerabilities

Microsoft Security Bulletin Advance Notification for January 2012

 

[cluberti]

The SSL vuln patch is labeled as "important" because mitigation is as easy as using an RC4 cipher rather than a CBC one, and if FIPS is required, migration to using TLS v1.1 or v1.2 mitigates it as well. TLSv1.1 was RFC'ed in 2006, and Microsoft's IIS7 (Server 2008) and Vista/Win7 support TLS v1.1 or v1.2. While the vulnerability itself is fairly critical, mitigation is fairly easy and attacks aren't seen as prevalent yet, and as such Microsoft deems that type of issue "important".