Four critical patches among six bulletins from Microsoft, including IE9 fix
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday
According to commentators, the priority from the critical patches should be the Internet Explorer update, MS12-071. Wolfgang Kandek, chief technical officer at Qualys, said this is the most urgent as it allows an attacker to gain control over a machine running on IE by setting up a web page that hosts the exploit code.
“However, the problem only affects IE9, and anybody that is running a different version (7,8 or 10), which is 90 per cent of all enterprise IE users, can move on to the next vulnerability,” he said.
Andrew Storms, director of security operations at nCircle, said: “Topping our ‘patch immediately' list this month is the drive-by exploit affecting Internet Explorer 9. It's fairly obvious that Microsoft patched this bug in IE10 before its release; otherwise, we would have a bulletin affecting both IE9 and IE10.
“Despite the release of Windows 8 in late October, three of today's bulletins affect it. Much of the core operating system is reused from version to version, even in new releases, and all software has bugs. These factors, combined with security researchers that love to find and report bugs in the latest software version, are reasons for the number of bulletins for Windows 8. This should surprise no one.”
Jason Miller, manager of research and development at VMware, also recommended looking at the IE patch first, and noted that bulletins MS12-072, MS12-074 and MS12-075 all affect the new operating systems or components on the operating systems.
He said: “Windows 8 Release Preview and Server 2012 Release Candidate are affected by vulnerabilities such as the ones addressed in MS12-072. It is interesting to note that Microsoft is still offering patches for these vulnerabilities even after both versions of Windows 8 and Windows Server 2012 operating systems are now publicly available in Microsoft's live released version form.”
Miller recommended MS12-075 to be the second bulletin that administrators look at patching immediately. “This security bulletin addresses vulnerabilities in the Windows Kernel that could potentially lead to remote code execution. If an attacker can entice a user to view a file with malicious TrueType fonts, the attacker could take control of the unpatched system.” he said.
Ziv Mador, director of security research at Trustwave SpiderLabs, said: “If you got a shiny new Microsoft Surface tablet that runs Windows RT and thought you didn't need courage to surf the internet any more, then you better find some courage soon and install this patch.
“A specially crafted document or web page that uses TrueType Files can exploit this vulnerability that affects most versions of Windows including RT. Windows RT is of course the OS that powers the Microsoft Surface. The update for RT is only available through Windows Update and is not offered as a separate download.”
Paul Henry, security and forensic analyst at Lumension, said that MS12-075 is interesting as it is a TrueType font issue, and that Microsoft has been dealing with font issues for a while.
He said: “TrueType Fonts can be embedded all over the place and Windows kernel mode driver renders the font. If these fonts are embedded in a browser or a Word document, for example, it's rendered in the kernel mode driver and winds up becoming a kernel mode exploit. An authenticated, low-rights user could visit a website, the font gets rendered, and it gets rendered as 'system'. This is a very effective attack mode, so Microsoft tries to close out font issues quickly. This is as high a priority as MS12-071. Those two bulletins will be the two biggest attack vectors in this batch.”
Henry recommended looking at MS12-072, which addresses two critical remote code executions (CVE-2012-1572 and CVE-2012-1528). Mador said: “These two vulnerabilities involve a buffer overflow and an underflow of a Windows Briefcase. A Briefcase allows mobile PC users to easily transfer files to a removable drive and then have it synchronise those documents between the PC and the drive.
“These vulnerabilities can be exploited if a user browses to a specially crafted Briefcase using Windows Explorer, which could give an attacker the ability to execute arbitrary code. Microsoft hasn't seen this in use yet they will probably figure it out pretty quickly.”
The final critical patch is MS12-074, which affects remote code execution in the .NET framework. Mador said: “This patch will whisk you away from the evils of five CVEs. If you are convinced into using a malicious proxy auto configuration file, most likely via a man-in-the-middle attack, they can inject code into the currently running application giving them the ability to execute remote code.”
Kandek said: “One of the five vulnerabilities in the .NET framework is critical that allows an attacker who is controlling the contents of the the Proxy Auto Config (PAC) file to execute code in .NET applications, such as XBAP and .NET ActiveX. The potential for widespread code execution through this mechanism is limited because .NET applications are turned off by default.”
Miller said: “The patch for this product is only available through Windows Update only (not the Microsoft Download Center). This patching practice has been a common theme for Microsoft releasing security updates for their preview products.”