Microsoft released seven bulletins on its final Patch Tuesday of 2012 this week.
Patching five critical flaws and two rated as important, patches were issued for Windows, Internet Explorer, Word and Windows Server. It recommended patching MS12-077 first, which covers three critical-class issues in Explorer. Microsoft said that there are no known attack vectors for these versions as yet.
Wolfgang Kandek, CTO of Qualys, said: “Bulletin MS12-077 addresses vulnerabilities in Internet Explorer 9 and 10, the newest versions of IE that run under Vista, Windows 7 and Windows 8. Here, an attacker would have to lure the attack target to browse to a malicious webpage. This is a tad harder than sending the target a simple e-mail, another common attack method.”
Marc Maiffret, CTO of BeyondTrust, said: “There is a good combination of vulnerabilities that can be mixed together to provide a good arsenal for client-side attacks. Internet Explorer 9 and 10 are both susceptible to three different vulnerabilities (MS12-077) that attackers can use to execute malicious code on a user's computer. If the browser attacks don't appeal to an attacker's fancy, they still have the option of exploiting a vulnerability in Microsoft Word (MS12-079) that affects versions 2003, 2007 and 2010.”
MS12-079, which patches one issue in Microsoft Word, is also rated as critical and can result in remote code execution. Ziv Mador, director of security research at Trustwave SpiderLabs, said: “While Microsoft has not yet seen this one being exploited in the wild, they do expect exploited code to show soon. This one has to do with how MS Word parses Rich Text Format (RTF) files and again, could result in remote code execution. The problem is present in Word 2003, 2007, 2010 and even MS Word Viewer. Users of Outlook 2007 and Outlook 2010 should also take note as MS Word is set as the default email reader for those email clients.”
Kandek said: “Of the five critical patches, we think that MS12-079 is the most important. The attack can be accomplished through email using a flaw in the RTF. An attacker can gain control of a computer without end user interaction because Microsoft Outlook automatically displays the malicious text in the Preview Pane. A potential work-around is to manually configure the preview pane in Outlook's Trust Center to use plain text only, but one loses a significant amount of functionality that way.
Andrew Storms, director of security operations at nCircle,said: “As if the IE bug wasn't enough, attackers are also getting an RTF email bug in their stockings. Users who receive a malformed email don't even have to open the email to be exploited. Just showing malformed email in the preview pane is enough for a successful attack. Obviously, this is one that should be patched quickly.”
Maiffret highlighted MS12-080 as a key patch as this covers the WebReady component in Exchange, which uses Oracle Outside In libraries. He said: “For those unfamiliar with the previous vulnerability, here's a quick recap. Microsoft uses the Oracle Outside In libraries to parse and display documents in emails. Oracle recently patched a couple of vulnerabilities, which affect components of WebReady, thus making outlook Exchange vulnerable.
“These vulnerabilities affect the Outside In filters and the HTML Export SDK, which (if properly exploited) could allow an attacker to run code on the Exchange Server in the context of the LocalService account.”
Kandek said: “MS12-080 is this month's only server side bulletin and it addresses a vulnerability in Microsoft Exchange and Sharepoint that stems from the inclusion of the Oracle Outside In file conversion software. IT admins should treat this bulletin the same way that they treated MS12-058 in August 2012 which had the exact same root cause, i.e. Oracle's release of a new version of Outside In in their quarterly Critical Patch Update.”
Mador highlighted MS12-081, which fixes a critical remote code execution issue in Windows File Handling. He said: “This vulnerability could allow remote code execution if a user browsed to a folder that contains a file or subfolder with a specially crafted name and it impacts pretty much everything from XP SP3 to Server 2008 R2.
“Of course ‘browse to a folder' can be accomplished with an email attachment if the attacker can get the receiver to open it. If you are still running older version of the OS Microsoft thinks this vulnerability will be pretty easy to exploit.”
Finally looking at the important-rated patches, Maiffret said: “MS12-081 addresses a remote code execution vulnerability in the Windows File Handling Component. MS12-082 fixes a heap overflow in DirectPlay, which affects all versions of Windows, except for Windows RT. Lastly, MS12-083 plugs a hole in IP-HTTPS that permits a security feature bypass.”