Must Read: Galaxy Note 8.0 tablet: Beating the iPad mini (review)

Topic: Windows

'Critical' Windows Media flaws put millions at risk

Summary: Pay special attention to MS12-004, a "critical" bulletin that provides fixes for two serious flaws in the way Windows Media handles certain media files.

Ryan Naraine

By for Zero Day |

Microsoft has dropped its first batch of security bulletins for 2012: Seven bulletins with cover for at least eight vulnerabilities affecting all versions of the Windows operating system.

The company is urging Windows users to pay special attention to MS12-004, a "critical" bulletin that provides fixes for two serious flaws in the way Windows Media handles certain media files.

The first issue can be exploited if a hacker used a specially crafted MIDI file, Microsoft warned.  The successful attacker could gain remote code execution against a target running the ubiquitous Windows Media Player.

The second critical vulnerability is caused when when filters in DirectShow do not properly handle specially crafted media files.  DirectShow is a part of Microsoft DirectX, a Windows feature used for streaming media on Windows operating systems to enable graphics and sound when playing games or watching video.

Microsoft expects to see reliable exploit code against these vulnerabilities within 30 days so it's important that Windows users treat MS12-004 with the utmost priority.

Here's a quick look at the other issues in this January patch batch:

follow Ryan Naraine on twitter

  • MS12-001: Vulnerability in Windows Kernel Could Allow Security Feature Bypass

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability.

  • MS12-002: Vulnerability in Windows Object Packager Could Allow Remote Code Execution

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

  • MS12-003: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege

This security update resolves one privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. All supported editions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability. This could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

  • MS12-005: Vulnerability in Microsoft Windows Could Allow Remote Code Execution

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

  • MS12-006 Vulnerability in SSL/TLS Could Allow Information Disclosure

This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

  • MS12-007: Vulnerability in AntiXSS Library Could Allow Information Disclosure

This security update resolves one privately reported vulnerability in the Microsoft Anti-Cross Site Scripting (AntiXSS) Library. The vulnerability could allow information disclosure if a an attacker passes a malicious script to a website using the sanitization function of the AntiXSS Library. The consequences of the disclosure of that information depend on the nature of the information itself. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker's user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.

Topics: Windows, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

51 comments
Log in or register to join the discussion

  • No problem. I enable Automatic Updates, so this doesn't affect me.

    that was easy
    William Farrel
    Reply Vote

    • RE: 'Critical' Windows Media flaws put millions at risk

      @William Farrel
      That says a lot about you, lack of concern for anyone else.
      daikon
      Reply Vote

      • Oh, that's just my response to the typical

        @daikon
        (at least for here)Linux user "it doesn't affect me 'cause I use Linux" not really needed response they always seem to post.

        Just getting a jump on them ;)
        William Farrel
        Reply Vote

      • How ZDNet works.

        @daikon ... <br>... "Millions at risk" >>> Critical updates turned on >>> case dismissed >>> Everybody go home >>> nothing to worry about. <br><br>It's called the "Easy Button" and shills all over get their ego's stroked for being so smart and technically adept. Because if you are arrogant enough, you can soar past all those ignorant, common users and fix any Microsoft problem. Yea!<br><br>If they don't worry about the 4.5 million TDL-4 botnet infections that occurred in three months, they certainly don't give a darn about this. ZDNet and Ed Bott didn't even write an article about it and it happened a year ago. After all, the 4.5 million weren't sophisticated technical people, that made any kind of difference. They were just loyal Microsoft customers, many double dippers without restore options. After all, they are so out of it, they don't know they are being used as a proxy and sending out 8,000 spam emails a day.<br><br>Like the article about restore disks, elitist shills proclaim that you just burn the disks or restore from the partition, case dismissed. If you can't do that, you are stupid, ignorant or lazy. Unfortunately most actual customers of Windows don't do it and not supplying a pressed recovery media logically generates tremendous revenue for Microsoft by people purchasing new computers with the same OS or a retail OS.<br><br>There is no doubt that this happens according to Microsoft design.<br><br><a href="http://www.zdnet.com/tb/1-112572?tag=talkback-river;1_112572_2285437#1_112572_2285437" target="_blank" rel="nofollow">http://www.zdnet.com/tb/1-112572?tag=talkback-river;1_112572_2285437#1_112572_2285437</a><br><br><a href="http://www.zdnet.com/tb/1-112572?p=2&tag=talkback-river;1_112572_2285820#1_112572_2285820" target="_blank" rel="nofollow">http://www.zdnet.com/tb/1-112572?p=2&tag=talkback-river;1_112572_2285820#1_112572_2285820</a><br><br>Having filters to kill competing links, posts and replies here is only the icing on the cake.<br>Ever see your post disappear after you refreshed the screen?<br><br>You are absolutely correct. Definition of a shill here = sell out the common user.<br><br>Yeh, Linux is a bummer, right. Maybe they should use Linux in Android, at least they respect the common user.
        Joe.Smetona
        Reply Vote

      • I agree with Mr. Farrel on his post

        @Joe.Smetona

        Your FUD laced post is yet another example of someone wanting to comment negativelly on a Microsoft related article, only to find that the issue has been rectified.

        Like Rick_Kl, you came with th ehope that they were unpatched vulnerabilities, only to find that not the case, giving you nothing to comment negativelly on.

        So you posted some FUD in an effort to "save face" as you call it.

        I am actually surprised that you believe people have fallen for your ruse.

        It appears that the readers here are fall more intelligent then you have given them credit for.

        The logical course of action would be to refrain from posting on these boards, as it is now shown to be a waste of your time, time that could be better spent elsewhere.
        :|
        Tim Cook
        Reply Vote

      • I've been here 6 years, I know exactly who the shills are.

        @Mr. Spock. <br><br>Here's where you make you fatal mistake. You are still reinforcing the snobbery and elitism present here. You'd deny or diminish anything to preserve your precious Microsoft flag.<br><br>I also was involved with photography for over 20 years. The same principal applies to film, paper and camera technology from Kodak. Professionals account for about 2% of the market. So you have Vericolor film for professionals and Kodacolor for amateurs or the general users. You would think advancements in technology would be made available for the professionals first. But the opposite is true. When tabular or T-Grain and other advanced technology was introduced, it went to Kodacolor way before it was used in Vericolor. Kodak works with the professionals, but the real money is with the amateur market.<br><br>The ZDNet crowd doesn't impact the general user, they don't even come here. But Microsofts' actions are well known to the average user, and they have quite a reputation. That's apparent with the two articles about the recovery media. The first one got so hostile that they had to ditch it and call in the master propagandist to write another article, but it would up being filled with posts complaining about Microsofts' practices.<br><br>Intel developed the new Tri-Gate 3D 22nm transistor technology which is a profound advancement in technology. It uses 40% less energy, so battery life can be almost doubled and speed can be significantly increased. Intel chose Apple to introduce the new technology in the iPhone. ...for average users. <br><br>Do you really want to keep ignoring the average user? Microsoft doesn't care about your money or your contribution, they are after the other 98%. That's just how business works.<br><br>Here's typical shill comments. (from the first link above). They also represent the views of ZDNet and some of it's authors about average users. There is a real problem here.<br><br> [b][i] "But then again, if customers is [are] so lazy that they refuse to even learn the basics of using the products they purchase, maybe they deserve to lose that money." <br><br>"...of the technically ignorant consumers by overcharging them for a task that they should, with a tiny amount of patience, be able to figure out themselves." <br><br>"If they ignorantly want to pay that much for something that pretty much comes up by itself, it's their problem." [/b][/i]

        1/17/2012 ... Reply to Mr. Spock.
        I don't write for the shill population here.
        @Mister Spock ... Next you may argue that ZDNet is not a Microsoft propaganda outlet disguised as a non-biased technical forum. If you want to spew Microsoft spam, use your real name, and go to a dedicated site that just discusses Microsoft.

        Being here, under these circumstances, makes you a shill spewing Microsoft propaganda in a supposedly neutral environment in order to defend Microsoft abuses and deficiencies and garner additional users. It's strictly a commercial endeavor and a fraud, only for the monetary gain of Microsoft and certainly not for the empirical benefit of the readers.

        I would assume shills don't get paid in cash, rather they get incentives and free products instead from their Microsoft reps. Remember Mike Cox?
        Joe.Smetona
        Reply Vote

      • RE: 'Critical' Windows Media flaws put millions at risk

        [i](at least for here)Linux user "it doesn't affect me 'cause I use Linux" not really needed response they always seem to post.[/i]

        Did @daikon say anything about Linux?

        FAIL
        ScorpioBlue
        Reply Vote

    • RE: 'Critical' Windows Media flaws put millions at risk

      the problem isnt installing updates its u cricking rinks and surfing bad websites.... ok the problem is using windows as an OS everything u do has an exploit not yet fixed or ackd by ms
      bspurloc
      Reply Vote

    • No problem. I enable Automatic Updates, so this doesn't affect me.

      I've honestly started looking forward to Tuesdays! I've GOT to get me one of those t-shirts like the one above!
      ralph.luben@...
      Reply Vote

    • RE: 'Critical' Windows Media flaws put millions at risk

      @William Farrel Until Automatic Updates just silently stops running and you never know it, as I've seen on a number of machines.
      RealNonZealot
      Reply Vote

      • RE: 'Critical' Windows Media flaws put millions at risk

        @RealNonZealot

        The very malware that Microsoft tries to patch against can and frequently does shut off the Automatic Updates service. In many cases (like TDL4, TRSS, etc.) it also disables your antivirus and uses a package of its own to stop common viruses in order to not draw attention to itself.
        benched42
        Reply Vote

    • You're not the IT manager responsible for 1,000+ workstations

      @William Farrel
      That guy definitely does not have automatic updates turned on. If he did, he'd be out of a job sooner or later. He has to closely review each and every update to see what is affected. He might well have to contact third party software vendors to see if an update is going to affect their applications. He might also have to talk to internal developers to see if an update is going to affect internally developed code. At a minimum, he's going to want to roll out the update or updates to a testbed to make sure it isn't going to break anything. Even then, he's likely to wait a few days just to make sure there aren't reports of problems caused by the update on the wire. The enterprise IT motto is simple...never be the first on the block to try something new, and that includes security updates.
      jasonp@...
      Reply Vote

      • RE: 'Critical' Windows Media flaws put millions at risk

        @jasonp@...

        Actually, we do have automatic updates turned on for the 2000+ machines on our MAN. However, they update from a local WSUS server. That server does not get any update gets approved until our internal testing shows they will not cause issues for the end user. If testing shows any issues, we sit on the update until a fix for the update available.
        DNSB
        Reply Vote

    • RE: 'Critical' Windows Media flaws put millions at risk

      @William Farrel <br><br>It's a shame that millions of people using Vista are being dumped from the update system this year on April 10<br><br>Hardly a word of warning.<br><br>Microsoft are really concerned about security, aren't they ?<br><br> <a href="http://www.zdnet.com/blog/bott/how-long-will-microsoft-support-xp-vista-and-windows-7/2304" target="_blank" rel="nofollow">http://www.zdnet.com/blog/bott/how-long-will-microsoft-support-xp-vista-and-windows-7/2304</a>
      Chipesh
      Reply Vote

      • RE: 'Critical' Windows Media flaws put millions at risk

        @Chipesh Not true for Vista. What about extended support? XP is on extended support yet it still receives updates.
        statuskwo5
        Reply Vote

  • RE: 'Critical' Windows Media flaws put millions at risk

    Blog posts about software updates are retarded.
    JeveSobs
    Reply Vote

  • most secure os ever!

    just don't play any videos!!!! OMG proper firewalling will protecteth u! just close port 80 and 443 and u r safe from surfing to bad places....
    bspurloc
    Reply Vote

  • RE: 'Critical' Windows Media flaws put millions at risk

    I wonder if ZDNet uses the same hyperbolic language whenever other operating systems release patches for critical flaws? Pay no attention that Microsoft has released a patch for the vulnerability! You're at risk and your computer will blow up and kill innocent wimmins and chidrens if you use teh evil WMP!!! What a bunch of biased crap, lol. At least they could have pretended to be unbiased if the headline had read "Microsoft releases patch for critical WMP flaw."
    SeanKD
    Reply Vote

    • RE: 'Critical' Windows Media flaws put millions at risk

      @SeanKD Totally agreed.
      warex3d
      Reply Vote

    • RE: 'Critical' Windows Media flaws put millions at risk

      @SeanKD
      Yeah, they should have written billions instead of millions at risk. It is the OS with the largest market share, after all. :p And anyway, 'wimmins and childrens' occasionally need a wake up call to alert them that this is a serious vulnerability and to get patchin.'
      Chiatzu
      Reply Vote
CNET Join | Log In | Privacy | Cookies Close