Microsoft issues seven bulletins in January fix

Microsoft has issued its first security update of the year, issuing seven bulletins for Windows and Office.

January's 2012 'Patch Tuesday' release will address eight vulnerabilities, including flaws in Windows Server.

Of the eight security vulnerabilities addressed in the update, just one is considered by Microsoft to be a critical security risk. The critical flaw lies within the Windows Media Player and could allow an attacker to achieve remote code execution by way of a specially-crafted MIDI or DirectShow file.

Microsoft noted that though the vulnerability has been given its highest alert rating, no active attacks on the flaw have been spotted in the wild.

The six remaining flaws have all been listed as 'important,' the third of Microsoft's four security alert levels.

Among the important flaws are remote code execution vulnerabilities for Office and Windows as well as an elevation of privilege vulnerability affecting Windows Server 2003 and XP systems.

The update also includes a fix for a previously-disclosed vulnerability in the Windows SSL component which could allow an attacker to harvest data over a supposedly secure web connection.

Jim Walter, manager for the McAfee Threat Intellegence Service, said the SSL fix was of particular importance as the flaw has been known to the public for several months.

"This month’s release brings a Microsoft-specific fix for the browser exploit against BEAST SSL/TLS issues highlighted at the ekoparty Conference in September 2011," Walter explained.

"The update works by updating the method by which the Windows Secure Channel (SChannel) acquires and interprets encrypted network packets."