The Beast Has Been Slain!

[ritchie58]

A Microsoft Windows update today fixes a weakness in the protocols used to secure e-commerce sites, which was first exposed by researchers using a tool they dubbed "BEAST."

 

Microsoft planned to release the BEAST (Browser Exploit Against SSL/TLS)-related patch last month, but had to pull it because it created compatibility issues with SAP software. Researchers had demonstrated the vulnerability using BEAST in September, prompting fears that attackers would use the tool to snoop on protected Internet sessions in what is called a "man-in-the-middle" attack. MS12-006 patches a hole in the Secure Sockets Layer and Transport Layer Security protocols.

 

 

Related stories

• Microsoft fixes Duqu hole, but not BEAST problem
• Browsers tackle the 'BEAST' Web security problem

The seven bulletins in Microsoft's Patch Tuesday release fix eight vulnerabilities and only one bulletin is rated "critical" -- MS12-004. It plugs two holes in Windows Media Player that could allow an attacker to take over a computer by sending a malicious MIDI or DirectShow file to a targeted user. More details are available at the Microsoft Technet blog.

 

The security bulletin summary for January also includes MS12-001 to address a security feature bypass flaw, a new category of issues that can't be directly exploited by an attacker, but which an attacker could use to facilitate use of another exploit.

 

Meanwhile, Adobe released updates today for Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh to resolve critical security issues. By: Elinor Mills, InSecurity Complex

 

 

 

[ritchie58]

Today is Patch Tuesday. So get these security patches installed as soon as possible. I got four security patches and ran the Malicious Software Removal Tool from Microsoft today for my Win 7 64bit machine.