January 2012 Security Bulletins Released

Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing seven security bulletins, one of which is rated Critical in severity, with the remaining six classified as Important.

These bulletins will address eight vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on the sole critical update:

  • MS12-004 (Windows Media Player): Vulnerabilities in Windows Media Player Could Cause Remote Code Execution. This bulletin – the only one in January’s set to include multiple CVEs – addresses two issues that could arise if a would-be attacker sent a malicious MIDI or DirectShow file to a targeted user. Both of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. Still, we recommend that customers read through the bulletin information concerning MS12-004 and apply it as soon as possible.

In the video below, Pete Voss discusses this month’s bulletins in further detail.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Deployment Priority

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

Exploitability Index

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page.

As you may remember, last month we announced a bulletin addressing the SSL issue we described in Security Advisory 2588513. Days before release, we noted a compatibility problem that might have affected certain users of third-party products, and decided to hold that bulletin until we could complete further investigation. We’re-releasing that bulletin today as MS12-006; we’re also providing further information and guidance to customers with a Knowledge Base article and a Fix-it that will be useful in certain installation circumstances.

As usual, our colleagues in SRD have prepared blog posts that delve more deeply into technical details of this month’s releases. In addition to a discussion of this month’s deployment priorities, SRD has a post examining some of the finer points of MS12-001, which addresses an Important-class issue affecting the SafeSEH security mitigation, and an overview of the aforementioned MS12-004.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Dustin Childs. I invite you to tune in and learn more about the January security bulletins, as well as other announcements made today. The webcast is scheduled for tomorrow, January 11, 2012, at 11 A.M. PST. Click here to register.

Angela Gunn
Trustworthy Computing.