Microsoft plans to address eight vulnerabilities Jan. 10 as part of its regularly scheduled Patch Tuesday round of security updates.
In its January 2012 Advance Notification issued today, Microsoft said it would release seven bulletins, one rated “critical,” repairing coding errors across its product line. The security updates address issues in Microsoft Windows and Microsoft developer tools and software, Microsoft said.
The bulletins address a variety of flaws that could enable remote code execution and an escalation of privileges. One of the flaws, rated “important,” addresses a security feature bypass, which could be used by an attacker to exploit another error. Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, said detailed analysis of the security feature bypass would be made available on Tuesday.
Microsoft issued an out-of-band security update Dec. 29, addressing four serious vulnerabilities in the .NET Framework. Among the fixes in the out-of-band update was a repair to block hash collision attacks on ASP.NET Web applications. The attacks could cause systems to freeze up.
The update was prompted by a presentation at the Chaos Communications Congress in Berlin where two researchers identified ways to exploit the error, which can be found in a variety of Web programming languages. The researchers say development frameworks should have randomized hash functions to prevent the problem.