Microsoft issued seven security bulletins to address three critical and four important issues on Patch Tuesday this week.
These address issues in Microsoft Windows, Internet Explorer, Dynamics AX, Microsoft Lync and the Microsoft .NET Framework. Angela Gunn, spokesperson at Microsoft Trustworthy Computing, recommended that users deploy MS12-037 first as it addresses 13 issues affecting all supported versions of IE.
Jason Miller, manager of research and development at VMware, said: “There are two Microsoft Security Bulletins administrators should look at addressing first from this Patch Tuesday. MS12-037 addresses 13 IE vulnerabilities. All of these are privately disclosed and there have been no active attacks to date, but it is important to patch your browsers as soon as possible as they are commonly attacked.
“MS12-037 and the security bulletin for Microsoft Lync, MS12-039, are related. Both address a vulnerability in the way HTML is sanitised in both Internet Explorer and Lync. If your machines have both of these products installed, you will need to install both bulletins to fully address this vulnerability.”
Tyler Reguly, technical manager of security research and development at nCircle, said: “Out of the seven bulletins released today, only two of them are worth discussing: the ever-present IE bulletin and a new update for Remote Desktop. It's probably a toss-up which one should be updated first; the decision ultimately depends on your environment. Do your users run IE? Is RDP enabled on every system?
“We see the remaining bulletins every month and, honestly, I'm getting tired of them. Win32k.sys and .NET XBAPs are starting to appear as frequently as Internet Explorer, and attack types like DLL preloading and elevation of privilege have become more common than remote code execution.”
The remote desktop patch is MS12-036, which Gunn said addresses one critical issue affecting all supported versions of Microsoft Windows that could result in remote code execution.
Andrew Storms, director of security operations at nCircle, said: “Today we're getting an unexpected RDP patch that appears to be a close relative of MS12-020 that was released in March. MS12-020 was a network-based vulnerability that could be exploited without authentication, or, in other words, 'worm food'. Today's RDP bug looks like an equally serious bug that was probably uncovered in the process of testing the previous RDP bug fixes.
“Given the serious nature of the first RDP bug, it's not surprising that there was a lot of extra testing going on. Since today's patch release is conspicuously missing an acknowledgement for the bug finder, it seems safe to assume it was found by Microsoft staff.”
Miller said: “MS12-036 is the second bulletin administrators should address immediately this month. This fixes one vulnerability in Microsoft's RDP client. With this vulnerability, an unauthenticated attacker sends malicious RDP packets to a machine that has RDP enabled and can result in remote code execution.
“It is important to note a few items with this bulletin: first, RDP is not enabled by default on systems but the majority of administrators rely on RDP to manage their servers and workstations; second, this type of an attack is an unauthenticated attack that raises the severity of the vulnerability.
“Third, even if your machines do not have RDP enabled, administrators should still apply this bulletin to all of their machines. By installing this bulletin, administrators do not have to worry about a machine having RDP enabled at a later time. Without patching RDP, the machine would be instantly vulnerable to attacks.”
Microsoft also added an automatic updater feature for Windows Vista and Windows 7 untrusted certificates; it provides a mechanism to allow Windows to specifically flag certificates as untrusted.
With this, Windows will check daily for updated information about certificates that are no longer trustworthy. It also said it will release a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length in August; this will enable it to treat all certificates as invalid, even if they are currently valid and signed by a trusted certificate authority.
Paul Henry, security and forensic analyst at Lumension, said: “Microsoft handled the discovery of Flame in the best manner possible. In Microsoft's most recent post, they explained that by default the attacker's certificate would not work on Windows Vista or more recent versions of Windows.
“Attackers had to perform a collision attack to forge a certificate that would be valid for code signing on Windows Vista or more recent versions of Windows. On systems that pre-date Windows Vista, an attack is possible without an MD5 hash collision. This reiterates the need for IT administrators to update OSes to Vista or a later version.”