Cautious optimism: Details of Microsoft's first Patch Tuesday of 2012

The details of Microsoft's first Patch Tuesday seem scary on the surface, but may actually suggest a more proactive approach going into 2012.

Microsoft has already stirred the pot in the security community, releasing details on the first Patch Tuesday of 2012 in an advance notification published last week.Although the document gives off some scary numbers – its seven bulletins ties a previous high for January – a closer look shows that Microsoft may be redirecting its security strategy in light of success in 2011.Six of the seven bulletins issued target the Windows operating system, Windows XP Service Pack 3 and later, while another addresses an information disclosure issue with Microsoft developer tools software. One bulletin, which will fix a remote code execution issue in Media Player, was rated "critical."Also notably, another bulletin rated "important" was described as a "Security Feature Bypass," a denomination Microsoft has never used before.Even with the bulletins at hand, Lumension security and forensic analyst Paul Henry said the top priority is to install the out-of-band patch Microsoft released on Dec. 29, especially for those with web-based assets on the ASP.Net framework. That patch was rushed to release one day after German researchers pointed it out at a conference, and addresses a vulnerability with web apps based on the .Net framework that could be susceptible to denial-of-service attacks. According to Henry, implementing the out-of-band patch should come even before the critical exploit targeting Media Player.But beyond the obvious details, the first Patch Tuesday of the year may actually show some signs of a new direction for Microsoft's security team.First, it should be noted that the exploit affecting Media Player is only deemed critical for older versions of Microsoft software. For those running Windows 7 and Windows Server 2008 R2, the bulletin is downgraded to "important," just as all the others in the patch. While that detail may fly under the radar amid the buzz surrounding Patch Tuesday, it does point to security improvements among newer versions of Microsoft software.Then there's Microsoft's focus on Beast SSL attacks, otherwise known as Browser Exploit Against SSL/TLS. Several bulletins address issues that can be exploited through Beast SSL, which Henry believes is a sign that Microsoft may be leaning toward a more proactive approach to patch holes before they are exploited."Despite all of the hype over 'The Beast,' attacks have simply never materialized, and the issue has retained its 'important' classification from Microsoft," Henry says.Microsoft's apparent onslaught against a seemingly dormant threat in The Beast, as well as its focus on information disclosure issues and defense-in-depth improvements for its SEHOP technology, indicate that the company's recent security improvements may have given it room to address issues that had been lingering behind the scenes, Henry said."With an overall reduction in critical issues in 2011, we can anticipate Microsoft will bolster defense-in-depth efforts and likely increase the number of patches addressing important issues, such as privilege escalation vectors," Henry says.In 2011, Microsoft issued just 100 security bulletins, down from 106 in 2010, and saw its number of critical security bulletins issued dip lower than it's been since the Patch Tuesday initiative was launched in 2004.So it may not be as bad as it seems. Maybe this is what to expect moving forward – a steady influx of bulletins addressing issues that had been waiting on the back burner.But, of course, it's much too soon to say. Cautious optimism may be a recurring theme for Microsoft security in the new year.

Colin Neagle covers Microsoft security and network management for Network World. Keep up with his blog: Rated Critical, follow him on Twitter: @ntwrkwrldneagle.


Copyright © 2012 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022