Microsoft’s January security updates, released today (Patch Tuesday) are mainly a collection of fixes designed to stop the “SSL Beast” attack, which could exploit a weakness in the web encryption protocol to launch man-in-the-middle attacks to decrypt authentication tokens. The attack was demonstrated by two researchers in September.
Interestingly, the six updates addressing SSL Beast are rated Important rather than critical. The exploit would only be effective against the SSLv3 and TLSv1 and not later versions, reducing the potential attack surface significantly. And, there has been no evidence that this type of attack has actually been used. The patches were originally planned for the December update but postponed because of testing issues, according to Microsoft. SSL has come under pressure this year because of attacks on certificate authorities, notably DigiNotar (see fellow Bistro-ite Richard Stiennon’s posting).
The lone critical bulletin entry addresses two vulnerabilities in Windows Media Player and DirectShow that could allow remote code execution and give an attacker the same rights as the local user. Thus, users with admin rights would be more vulnerable than users with restricted privileges.