3 Critical RCE Fixes in May Security Patch
Microsoft's May security update arrived today with three bulletin items classified "critical" and four "important." Remote code execution fixes account for five of the seven items, including all three of the critical bulletins. The critical fixes should be applied as soon as testing has been completed. However, security experts are highlighting two of those bulletins as top priority. They address flaws that can affect both Microsoft and Apple OS platforms.
"This summary continues a trend we've seen lately for cross-platform attacks; several of the bulletins affect both Windows and Mac platforms," said Wolfgang Kandek, CTO of security firm Qualys, in a blog post. "This includes two of the critical bulletins, which is a big deal because Macs are more frequently being targeted with these exact attack vectors."
The top-priority item this month is bulletin MS12-034, which fixes seven privately disclosed flaws in Windows, Office, Silverlight and .NET Framework. According to Microsoft, this critical bulletin will address "the manner in which affected components handle specially crafted TrueType font files and by correcting the manner in which GDI+ validates specially crafted EMF record types and specially crafted EMF images embedded within Microsoft Office files."
Coming in at second for IT's priority consideration this month is bulletin MS12-029 -- a Microsoft Office critical fix that patches an issue in which attackers could modify how Office parses formatted data. If left unpatched, an attacker could gain a user's access rights once the user opens an infected RTF file.
Due to the increased risk of infection to Apple systems, Marcus Carey, security researcher at Rapid7, is warning that those running a Mac version of Office may be at higher risk of attack.
"In light of the recent uptick in Mac vulnerability reporting, I suspect we will be hearing about this in the future if Mac users fail to patch this vulnerability," said Carey. "Mac users should start paying more attention to third-party updates such as Word and Java that directly affect their security."
The final critical item for May's security update -- bulletin MS12-035 -- deals specifically with two privately reported issues in Microsoft's .NET Framework. Users running a Web browser that can run XAML Browser Applications (XBAPs) could be at risk of a system hijack when visiting a specially crafted Web site. While bulletin MS12-034 also affects the .NET Framework, Microsoft said that the two fixes are not related, and either can be applied in any order.
Microsoft's remaining bulletins for May include the following important-categorized items:
- MS12-030: This bulletin patches one publicly disclosed and five privately found errors in multiple versions of Microsoft Office that could lead to an RCE attack if a harmful Office document is opened. It's just classified as important because Office will prompt a user first before opening a new file.
- MS12-031: Microsoft's Visio Viewer 2010 gets a rare fix this month for a vulnerability associated with how it validates data when parsing harmful Visio files. Left unpatched, the flaw could open up a user to an RCE exploit if a harmful file is opened.
- MS12-032: The first non-RCE-related item fixes two holes in Windows affecting "the way that Windows Firewall handles outbound broadcast packets and by modifying the way that the Windows TCP/IP stack handles the binding of an IPv6 address to a local interface," according to Microsoft. If unpatched, an attacker with local access to a system could initiate an elevation of privilege.
- MS12-033: This month's final item, which also takes care of an elevation-of-privilege vulnerability, affects multiple versions of the Windows client OS and Windows Server. An attacker could install a harmful app using a memory flaw in the Windows Partition Manager. However, an attacker must have access to, and know the valid logon credentials of, a targeted system.
More information on all of Microsoft's updates for May can be found in the Microsoft Security Update Summary.