Microsoft is kicking off its 2012 Patch Tuesday release cycle with seven security bulletins. Among the items patched is an SSL issue that has been known publicly since at least September 2011.
The January Patch Tuesday update provides a fix for the SSL BEAST attack (an acronym for Browser Exploit Against SSL/TLS). The BEAST exploit takes advantage of a weakness in the TLS 1.0 version of SSL to decrypt encrypted HTTPS requests. Microsoft had originally planned to patch the flaw in its December Patch update .
“MS12-006 patches the SSL vulnerability which was scrapped last month, reportedly because of incompatibility issues with SAP,” Marcus Carey, security researcher at security vendor Rapid 7 said in an email sent to InternetNews.com. “This pulled patch last month emphasizes the point that organizations need to test patches for compatibility before patching.”
Carey noted that in the case with SAP, they have access to test patches before deployment. Smaller software providers might not have access to the patches before Microsoft releases them. He suggests that organizations should always test, then patch.