Microsoft issue Patch Tuesday fix for Media Player and security bypass

Microsoft fixed seven bulletins, one deemed critical, and a handful of new security issues yesterday as the first Patch Tuesday of 2012 was issued.

Although Microsoft tied a previous high for bulletins issued in January, Qualys CTO Wolfgang Kandek isn't so concerned about large numbers. The growing number of Microsoft products being used in the wild naturally drives up the number of security bulletins the company will have to issue to protect them, he points out. Larger patches may soon become a more common occurrence.

"Microsoft has new products to cover every year, so they're adding more potential platforms that they have to cover," Kandek says. "There are kind of two different forces. One is they're getting better at fixing and finding vulnerabilities earlier in the development cycle, so they're not even released. And on the other hand they have to deal with more products. So I don't read too much into that big of a volume."

On an individual level, the patch also answered a few questions that arose following Microsoft's advance notification issued last week, the most pressing of which involved what Microsoft meant by "Security Bypass Feature." It was the first time Microsoft used the term, and caused many to question what it could entail.

The security bypass feature, which describes the type of vulnerability addressed in Bulletin MS12-001, involves a feature designed to detect any mistakes or errors in a given program. The vulnerability can be used to facilitate another attack by disabling a feature designed to alert the system that an attack was occurring.

Amol Sarwate, director of Vulnerability Labs for Qualys, compared the security bypass feature to a home alarm system.

"If the bolt on the door is not good and anyone can crash through it, this is basically like the alarm system that goes off if you kick through the bolt," Sarwate says.

Because Microsoft has brought the security bypass feature to light, Kandek believes researchers may start exploring the possibility of similar vulnerabilities in other features.

While the issue with the security bypass feature may be the most intriguing, several researchers deemed the vulnerability in Windows Media player the most important, as its critical rating denotes. The issue involves the MIDI file format, which is used to detect musical instruments on Windows Media Player. Microsoft's bulletin patches an exploit through which hackers can take control of a computer that has opened a MIDI file.

"So if I could trick you to play a file like that, you might just go to a website and listen to some MIDI music, then I would be able to plant a controlled program on your computer that way," Kandek says. "It can be used for email and it could also send you a link. And you just have to play it, you don't have to do anything, you don't have to execute anything or install anything. So it makes that one kind of interesting for an attacker."

Andrew Storms, director of security operations at nCircle, says the MIDI vulnerability should be "the top development priority for everyone."

Additionally, the nature of the Windows Media Player may drive more users to upgrade to newer Microsoft software, Storms added.

"This bulletin provides yet another reason to upgrade to Windows 7 because those users are not affected by this drive-by exploit," Storms says.

In fact, two of the seven vulnerabilities were not applicable to Windows 7 or Windows Server 2008 R2. This isn't just a stroke of luck, Kandek says, but the result of widespread security improvements in Microsoft's more recent products.

"Most of the time these new products are more secure," Kandek says. "We often find that a vulnerability that is critical on Windows XP is only rated as important on Windows 7. So I think overall, they are definitely on the right track to making their products more secure."

However, Microsoft still has plenty of bases to cover, according to Kandek, so no significant changes to the Patch Tuesday pattern should occur anytime soon.

"There's still a larger base to cover, so maybe the number of critical vulnerabilities will go down, but we'll still have plenty of important and moderate vulnerabilities," Kandek says.