Bulk of Patch Tuesday Fixes for RCE Flaws
Microsoft delivered its monthly Security Update with nine bulletins, with five classified as "critical" and four classified "important," and addressing 26 vulnerabilities in total. As with the past few months, Microsoft targeted remote code execution flaws in the majority of items.
Security experts put bulletin MS12-060 at the top priority for IT this month, as it addresses an issue in Windows that attackers have been using to remotely hijack machines.
"MS12-060 fixes a vulnerability that is already being exploited in the wild," said Wolfgang Kandek, CTO of Qualys. "The vulnerability is located in the Windows Common Control and can be triggered through Office documents and through malicious web pages. The currently known attacks have been targeting Word and WordPad through RTF files attached to e-mail messages."
Microsoft said that along with the previous bulletin, bulletins MS-052 and MS-054 should also be applied ahead of the other six items.
MS-052 is a cumulative update for four privately reported holes in Internet Explorer (critical for IE 6, 7, 8 and 9) that could lead to a RCE attack due to an error caused by how the browser handles objects in memory. The flaw is caused due to Microsoft's use of Oracle's Outside In document parsing technology.
What is noteworthy about this item is that this marks the third month in a row that Microsoft has released a cumulative update for its browser; in the past, Microsoft would typically release this type of update every other month.
As for bulletin MS-054, a fix for four holes in Windows that could be exploited by an attacker who sends a specially crafted response to a Windows print spooler request, Microsoft said this is a high priority due to the multiple types of attacks that could occur.
"This security update addresses three issues related to the Remote Administration Protocol (RAP) and one issue affecting the Print Spooler," said Microsoft in a security blog post. "The impact from these issues ranges from Denial of Service (DoS) to Remote Code Execution (RCE)."
While Microsoft advises that these three items should be applied first, the final two critical items should be applied as soon as proper testing has completed.
Security bulletin MS12-053 is another RCE fix for Windows that takes care of one vulnerability in the Remote Desktop Protocol. If unpatched, this flaw could lead to an attack if a sequence of specially crafted RDP packets were downloaded to a targeted system. While still a critical fix, the scope of this bulletin is somewhat smaller than the previous entries as it only affects a flaw in Windows XP SP3.
The final critical item of the month, bulletin MS12-058, takes care of multiple vulnerabilities in Microsoft Exchange Server 2007 SP3, 2010 SP1 and 2010 SP3. According to the Microsoft summary, the flaw is found in the Microsoft Exchange Server WebReady Document Viewing, and "could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA)."
The remaining four items for this month address issues that aren't as high of a risk as the above bulletins. They include:
- MS12-055: The only non-RCE-related item of the month takes care of an elevation of privilege flaw in multiple versions of Windows OS and Windows Server.
- MS12-056: This item takes care of a vulnerability in the JScript and VBScript scripting engines on 64-bit versions of Microsoft Windows that could lead to an RCE attack if a target visited a malicious Web site.
- MS12-057: Affecting multiple versions of Office 2007 and 2010, this fix takes care of a flaw that could lead to an RCE execution if a malicious Computer Graphics Metafile (CGM) graphics file is embedded into an Office file.
- MS12-059: This month's final item resolves an Office 2010 flaw found in Microsoft Visio that could be exploited if a harmful Office file was opened by a user.
Security Certificate Update
Along with this month's Security Update, Microsoft has released Security Advisory 2661254, which restricts the use of certificates with RSA keys less than 1024 bits in length.
Previously discussed by Microsoft during last month's Security Update release , this change in how Microsoft verifies security certificates is a direct result to the Flame malware, which used unauthorized certificates to bypass antivirus programs.
Microsoft is currently making the update available through its Download Center before it automatically pushes it through to all users. Microsoft explained in a blog post that it was taking this approach to give enterprises enough time to reissue certificates with larger keys before they are blocked for Windows users.