Three critical patches released by Microsoft last night

News by Dan Raywood

Microsoft released seven bulletins last night to cover three critical and four important flaws.

Microsoft released seven bulletins last night to cover three critical and four important flaws.

Covering a total of 23 vulnerabilities in Windows, Office, Silverlight and the .NET Framework, Yunsun Wee, director of Microsoft Trustworthy Computing, said customers should plan to install all of these updates as soon as possible and recommended focusing first on MS12-034.

This patch covers ten vulnerabilities; Jason Miller, manager of research and development at VMware, said: “The sheer size of this security bulletin will undoubtedly affect the majority of your network when patching this month.

“This bulletin covers: 72 Microsoft operating systems/service pack combinations; 31 Microsoft .NET installation versions and types; nine Microsoft Office installation versions and types; and six Microsoft Silverlight installation versions and types.

“This is by far one of the largest security bulletins Microsoft has ever released. This bulletin will address seven vulnerabilities with three of the vulnerabilities already publicly disclosed. There are quite a few scenarios in which an attacker could exploit the vulnerabilities, but the most tempting will involve a user visiting a malicious website.

“Both MS12-034 and MS12-035 will need to be applied to applicable systems with .NET installed. As most administrators are already aware, patching Microsoft .NET can be extremely time-consuming. Administrators should plan for a longer than usual patch cycle for their machines, with two security bulletins affecting the Microsoft .NET product.”

Paul Henry, security and forensic analyst at Lumension, said: “The most interesting of the patches is MS12-034, which seems to be a deeper dive by Microsoft to correct Truetype font issues. If you remember, this was an issue in the DuQu malware that was a problem last December.”

Tyler Reguly, technical manager, security research and development, at nCircle, said: “MS12-034 is sheer craziness – it's going to be the most interesting and most painful part of the day for most IT security teams. There are multiple Office and .NET patches due to the overlap of products in this bulletin. 

"When you get past MS12-034, it's a fairly normal month with the expected local privilege escalation issues and Office patches. It's interesting to see something as obscure as Windows Partition Manager being patched. I would never have guessed that would appear this month.”

Wolfgang Kandek, CTO of Qualys, said MS12-035 is the third critical bulletin and addresses a flaw in XBAP, a Microsoft browser-based application delivery format.

“It is probably the least-urgent bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the intranet zone of the target,” he said.

The other critical and second-priority bulletin, according to Microsoft, is MS12-029. Kandek said this can be used to gain control of an end-user's machine without requiring user interaction.

He said: “The bulletin provides a patch for a vulnerability in the RTF file format that can be exploited through Microsoft Office 2003 and 2007. It is rated critical because simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit.”

Miller said: “This security bulletin addresses one vulnerability in older versions of Microsoft Word (pre-2010). An attacker can gain Remote Code Execution if a user opens a malicious RTF-type document with Microsoft Word. RTF documents are very common documents that are typically allowed through email systems as attachments.”

Also, Adobe released a security update yesterday for Shockwave Player and earlier versions for Windows and Macintosh. It said this update addresses vulnerabilities that could allow an attacker to run malicious code on the affected system.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews