BEAST SSL fix in supersized Patch Tuesday
Microsoft's 2012 kick-off features 7 security bulletins
Microsoft plans to start 2012 with a surprisingly large Patch Tuesday that covers seven security bulletins which collectively address eight separate vulnerabilities. Previous January releases have normally featured only one or two bulletins.
The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six "important" bulletins due next Tuesday handle the BEAST SSL issue and various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The "important" rather than critical status for the Beast SSL issue is at least debatable.
The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Microsoft has already published a workaround, which involves using the non-affected RC4 cipher in SSL installations. A patch was originally promised in December but delayed until this month due to problems uncovered during testing.
"Despite all of the hype over 'The Beast', attacks have simply never materialised and the issue has retained its 'important' classification from Microsoft," notes Paul Henry, a security and forensic analyst at Lumension.
Adobe and Oracle have both timetabled quarterly updates, on 10 January and 17 January, respectively in what promises to be a busy month for patching, Qualys adds.
Microsoft's pre-alert is here. ®
Similar topics
Broader topics
Narrower topics
- Azure
- Bing
- BSoD
- Excel
- Internet Explorer
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- .NET
- Office 365
- Outlook
- Pluton
- SharePoint
- Skype
- SQL Server
- TLS
- Visual Studio
- Visual Studio Code
- Windows
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox
- Xbox 360