Skip Links

Microsoft plans big January Patch Tuesday

Mystery of the month, say experts, is what Microsoft means by 'security feature bypass' update

By Gregg Keizer, Computerworld
January 05, 2012 04:50 PM ET

Computerworld - Microsoft today said it would deliver seven security updates next week -- tying the record for January -- to patch eight vulnerabilities in Windows and its developer tools.

But the company declined to confirm that the Jan. 10 slate will include a patch pulled at the last minute a month ago .

One of the seven updates was tagged "critical," the highest threat ranking in Microsoft's four-step system, while the others were marked "important," the second-highest rating, even though some of them could conceivably be exploited by attackers to plant malware on users' PCs.

Altogether, three of the updates were labeled as "remote code execution," meaning they could be used to hijack an unpatched system, Microsoft said in its monthly advance notification.

A twist to this month's Patch Tuesday is Microsoft's classification of one of the updates as "security feature bypass," a label it's never before applied.

"[Security feature bypass]-class issues in themselves can't be leveraged by an attacker," said Angela Gunn, a spokeswoman for the Microsoft Security Response Center, in a post to that group's blog today. "Rather, a would-be attacker would use them to facilitate use of another exploit."

Andrew Storms, director of security operations at nCircle Security, took a shot at deciphering the new category.

"Someone probably discovered a method to either turn off or bypass one of Windows security features that could let an attacker get in easier," said Storms, who said the possibilities of the vulnerable element could range from UAC -- for "user account control," the prompt users must click through to install software, to DEP and ASLR, two important anti-exploit technologies baked into Windows.

In an email, Paul Harvey, a security and forensic analyst with Lumension, flatly said that the security bypass feature (dubbed "SBF" by Microsoft) patch would "update ... Microsoft's SEHOP technology to enhance the defense-in-depth capability that it can afford to legacy applications."

SEHOP, or Structured Exception Handler Overwrite Protection, is a label for an anti-exploit technology that designed to block a now-common hacking technique first described in 2003, according to a Microsoft Security Research & Defense blog post from 2009.

Microsoft added SEHOP defenses to Windows with Vista Service Pack 1 (SP1); it's also inside Windows 7, Server 2008 and Server 2008 R2, although it's disabled by default on Vista and Windows 7, Microsoft says , "for compatibility reasons."

It's possible that Microsoft will enable SEHOP by default in those client editions of Windows with next Tuesday's patch.

Microsoft said it would publish more information about the SBF-related update next week.

The new category doesn't necessarily mean that Microsoft expects a slew of vulnerabilities that fit under the SBF label, said Storms, who had a simpler explanation.

"I think they just had an oddball and they didn't know what to do with it," said Storms. "Rather than try to shove it into an existing category, like remote code execution or elevation of privilege, they thought, 'Why muck with history? Let's just make a new one.'"

Originally published on Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News