The seven bulletins include one critical bulletin, designed to fix a remote code execution flaw in Media Player, and six tagged as important by Microsoft. Six of the seven bulletins address vulnerabilities in Windows, and all may or do require restarts.
“Bulletin one is the single bulletin rated as 'critical' and should be considered the priority; however, for users of Windows 7 and Windows 2008 R2 its severity is downgraded to 'important',” noted Wolfgang Kandek, chief technology officer at Qualys.
“Bulletins three and five, while rated 'important' both involve remote code execution, most likely through a specifically crafted input file to one of the Windows standard programs and should also be high on your list of bulletins to look at”, he said.
Bulletin two is tagged as a “security feature bypass”, which is a new category for Microsoft. According to Andrew Storm, director of security operations at nCircle, “this will cover cases where users figure out a way to turn off a Windows security safeguard. It’s not exactly a software bug, but it allows attackers much more room to maneuver.”
Paul Henry, security and forensic analyst with Lumension, observed that the important bulletins address “the Beast SSL issue and various information disclosure issues, escalation of privilege issues, and an update to Microsoft’s SEHOP [Structured Exception Handler Overwrite Protection] technology to enhance the defense-in-depth capability that it can afford to legacy applications.”
In September, researchers Thai Duong and Juliano Rizzo said they had found a way of breaking the SSL/TLS encryption that is used to guarantee the reliability and privacy of data exchanged between web browsers and servers. They termed their exploit the Beast – Browser Exploit Against SSL/TLS.
“Interesting to note that despite all of the hype over ‘The Beast’, attacks have simply never materialized and the issue has retained its ‘important’ classification from Microsoft”, Henry said.
Henry stressed that for users with web-facing assets using ASP.NET who have not already installed the out-of-band patch released last month, this patch should be a “priority.”