VERT Alert - January 10, 2012

January 10, 2012 1:55 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 7 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-439 on Wednesday, January 11th.

Windows Kernel SafeSEH Bypass Vulnerability CVE-2012-0001
Object Packager Insecure Executable Launching Vulnerability CVE-2012-0009
CSRSS Elevation of Privilege Vulnerability CVE-2012-0005
MIDI Remote Code Execution Vulnerability CVE-2012-0003
DirectShow Remote Code Execution Vulnerability CVE-2012-0004
Assembly Execution Vulnerability CVE-2012-0013
SSL and TLS Protocols Vulnerability CVE-2011-3389
AntiXSS Library Bypass Vulnerability CVE-2012-0007


The first bulletin of 2012 introduces a new Security Impact to Microsoft Bulletins, "Security Feature Bypass". This issue isn't specifically a vulnerability and isn't useful on it's own,; rather, it's a bypass of the SafeSEH setting on software compiled with the release version of Microsoft Visual C++ .NET 2003. So while you must also have a vulnerability in your compiled software, the bypass itself exists within Windows, which is why the update is being offered this way. It also means that compiled software will not need to be recompiled.


You could think of this as an extension of the DLL preloading attack, however instead of a DLL you're dealing with an EXE, which means that SafeDllSearchMode cannot help mitigate this issue. According to the Microsoft SRD Blog, the issue applies to Microsoft Publisher (.PUB) files, where an attacker could place a malicious file in the same directory as a .PUB file.


The third vulnerability of 2012 affects the Windows Client Server Runtime Subsystem (CSRSS) and, while only systems currently running a double-byte (Unicode) locale (such as Chinese, Japanese, or Korean system locales) are vulnerable, it's important to keep in mind that the locale on affected systems could be swapped. For that reason, this patch can, and should, be applied to every system regardless of the current locale.


The most important thing to note for MS12-004 is that there are two patches for pre-Windows 7 systems,: one for the Windows Multimedia Library and one for DirectShow. To resolve all the vulnerabilities contained in this bulletin, both patches must be applied. This bulletin also gives us the only critical vulnerability of the month, an attack with a potential drive-by vector related to the processing of MIDI files.


This bulletin is similar to MS12-002, however, instead of placing a malicious EXE next to an Office document, the malicious EXE can be deployed as a ClickOnce application and embedded within the Office Document.


This bulletin fixes the well-known BEAST vulnerability. This has been so widely discussed since its release that there's no new information to provide, other than to say it should be patched as soon as possible.


The final bulletin this month resolves a bypass in the Microsoft AntiXSS Library. What's interesting is that Microsoft launched a new "Security Feature Bypass" category, yet did not include a vulnerability called "AntiXSS Library Bypass" in this category, instead labeling the impact as Information Disclosure. This bypass alone isn't worrisome, however, when combined with a flaw in the website that lies behind the AntiXSS library.


As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.


Ease of Use (published exploits) to Risk Table:


Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged


All data and commentary is based on information available when the VERT Alert is published.