Microsoft released seven patches yesterday to address 20 vulnerabilities, with one critical flaw addressed.
The flaws covered included elevation of privilege, denial-of-service and remote code execution and follow Microsoft's announcement about the rejection of certificates with fewer than 1024 bits.
The critical patch is MS12-064 and it fixes two vulnerabilities in Microsoft Word and applies to all versions of Microsoft Office. Wolfgang Kandek, CTO of Qualys, said: “It addresses a vulnerability that can be exploited via a malicious RTF formatted email through the Outlook Preview pane without having to open the email.
“Since the development complexity of an attack against this vulnerability is low, we believe this vulnerability will be the first to have an exploit developed and recommend applying the MS12-064 update as quickly as possible.”
Ziv Mador, director of security research at Trustwave SpiderLabs, said: “A specially crafted RTF file could allow an attacker to take complete control of a system to install their own programs, delete data or even create new accounts. The vulnerability is present in most versions of Microsoft Word 2003, 2007, 2010 and even SharePoint Server 2010 SP1 and is caused by how Word handles memory when parsing certain files.
“This one can be a little tricky because Microsoft Word is set as the default mail reader in Outlook 2007 and 2010, which means that an attacker could leverage email as the attack vector to get you to open the specially crafted RTF file. This vulnerability has been hidden away in a dungeon and has not yet been seen in the wild.”
The remaining six patches are rated as important. Mador said he was surprised to see a fix for Microsoft Works, but MS12-065 fixes a remote code execution flaw. “If you are using Works 9.0 you will want to pay attention to this one especially if you try to open Microsoft Word files with your version of Works. When Works attempts to convert a Word file it can potentially cause system memory corruption that could allow an attacker to execute arbitrary code,” he said.
MS12-066 addresses an XSS vulnerability in Microsoft's SafeHTML library that is in use in a number of products, including Microsoft SharePoint and LYNC, Microsoft's IM client.
Paul Henry, security and forensic analyst for Lumension, said: “MS12-066 is an HTML sanitisation fix. There have been limited active attacks on this in the past, but most of it was handled in a previous bulletin. This cleans up the vulnerability code that was left out and cleans up the HTML sanitisation component in Windows.”
Kandek said MS12-067 is another instance of a vulnerability introduced by the Oracle Outside-In library. “Oracle addressed a number of critical vulnerabilities in that library in its last CPU in June 2012, and now all software vendors that had embedded a version of this vulnerable library need to provide updates to their products,” he said.
“This instance is a non-default, paid add-on to SharePoint that provides document indexing capabilities. An organisation could be exploited if the add-on is installed and if an attacker is able to upload a malicious file into a SharePoint server.”
Jason Miller, manager of research and development at VMware, said: “This is the second time this year we have seen Microsoft release a security bulletin for vulnerabilities that exist in Oracle's software. Microsoft SharePoint servers with Fast Search 2010 use Oracle's Outside-In libraries code in their product. We could be seeing different software vendors working more closely on security vulnerabilities in shared software code.”
MS12-068 fixed an elevation of privilege flaw in the Windows Kernel. Mador said: “This is a classic elevation of privilege requiring an attacker to already have access to a system either through legitimate credentials or some other vulnerability. Once inside, an attacker could use this vulnerability to gain administrator level access.”
MS12-069 applies to Windows 7 and Windows 2008 R2 and addresses a DOS-style vulnerability where a specifically malformed Kerberos packet can crash the target machine. Henry said: “This is a DOS issue that affects Windows Authentication for DOS. If you're accepting Kerberos for Windows authentication, then you are vulnerable to this DOS.”
Finally, MS12-070 fixes an XSS vulnerability in one of the reporting modules of Microsoft SQL Server. Kandek said: “An attacker could use it to gain information about the SQL Server installation and would have to convince an SQL Server administrator to click on a link that contains the malicious XSS code.”