Microsoft released nine bulletins addressing 27 vulnerabilities on yesterday's Patch Tuesday.
The priority patch, according to commentators, is MS12-060 that fixes a vulnerability that is located in the Windows Common Control and can be triggered through Office documents and malicious web pages. According to Wolfgang Kandek, CTO of Qualys, this is already being exploited in the wild and currently known attacks have been targeting Word and WordPad through RTF files attached to email messages.
Paul Henry, security and forensic analyst at Lumension, said: “MS12-60 affects all platforms of Windows and addresses an Active X component that's redistributed in many places in Windows. It's an issue that was previously patched and this month's patch cleans up the previous one. This is a very high priority update because it's native in Windows and impacts all Windows platforms.”
Ziv Mador, director of security research at Trustwave's SpiderLabs, said that MS12-060 has already been disclosed publicly and Microsoft is aware of limited targeted attacks but they haven't yet seen any proof of concept code.
“Considering this exploit results in remote code execution we can probably expect proof of concept real soon now,” he said.
“This one does require a bit of social engineering to exploit, as it requires a user to click a link, either on a web page, in an email, or in a message in Instant Messenger or to open an attachment. The issue is found in an Active X control in the MSCOMCTL.OCX file, specifically the TabStrip control, which is a shared component across multiple MS Office products.
“There two different versions of the patch depending on which version of SQL Server you have installed, if you have automatic updates turned on it is smart enough to get the correct one.”
Marc Maiffret, CTO of BeyondTrust, said: “Microsoft security bulletin MS12-058 details a vulnerability within Microsoft Exchange that essentially allows for remote system compromise if you send a specifically crafted email to an Exchange server where the email is then read by someone using Outlook Web Access. The reason this is possible is because of Microsoft's usage of Oracle's Outside In document parsing technology.”
Bulletin MS12-052 is a critical security update patching four vulnerabilities in Internet Explorer. Mador said: “We are looking at the possibility of remote code execution for the worst of them if you once again visit a specially crafted web page.
Maiffret said: “Internet Explorer specifically has vulnerabilities that affect all versions of IE from 6.0 to 9.0 with critical remote code execution across all versions. These vulnerabilities will help to continue putting fuel to the various exploit toolkits used for mass scale hacking attacks and most likely some targeted attacks given the lag time in a typical organisations time to patch.”
Mador pointed out that IE8 users will also need to install the important-rated patch MS12-056 to protect against CVE-2012-2523. Looking at this patch, he said: “This is yet another remote code execution flaw, but only for 64-bit versions of Windows. If a user visits a specially crafted web page an attacker could take advantage of a flaw in the JScript and or VBScript engines.”
Also among the ‘critical' patches are MS12-054 that addresses a flaw in the remote administration protocol (RAP) of Windows Networking that an attacker can use to spread quickly within enterprise networks; while MS12-053 is a fix for a remote desktop protocol (RDP) vulnerability in Windows XP running Terminal Services.
Jason Miller, manager of research and development at VMware, said: “The last Microsoft security bulletin administrators should pay particular attention to this month is MS12-054. This bulletin addresses multiple vulnerabilities in the Windows Networking Components.
“If an attacker is able to share a resource with a malicious name on a network, the attacker can gain control of other systems with an unauthenticated response to the machine. An example of this is any resource, such as a shared printer, that machines will attempt to find on a network.”
Andrew Storms, director of security operations at nCircle, said: “MS12-054 contains a print spooler bug with a potentially wormable condition. Keen-eyed attackers are going to need to focus carefully on a vulnerability to uncover all of its potential. This is something that predominately affects small business and campus locations where Windows computers are configured in workgroups.
“Hidden lower in the MS deployment priority is MS12-053, an RDP bug only affecting XP, another bug with a potentially wormable condition. This one has the potential for serious impact because it is network aware and no authentication is required. If you have XP on your network, then get the mitigations for this one installed ASAP.”
The remaining Microsoft bulletins are rated ‘important' and address a local privilege escalation vulnerability Windows (MS12-055), a file format problem in Visio DXF format (MS12-059) and a fix for the Office CGM, a graphics file format (MS12-057).