Microsoft released nine security bulletins on yesterday's Patch Tuesday, including three rated as critical and six as important, which address 16 issues in Microsoft Windows, Internet Explorer, Visual Basic for Applications and Microsoft Office.
The critical bulletins begin with MS12-044, an update for Internet Explorer 9 that addresses two critical vulnerabilities. According to Wolfgang Kandek, CTO of Qualys, both can be triggered through a malicious web page and both allow the attacker remote code execution.
“What makes MS12-044 more interesting is that it only applies to IE 9, a clear sign that security researchers have started to shift their attention to the new version of the browser,” he said.
Microsoft said the two vulnerabilities were privately disclosed to it, and it has no indication that they are being exploited in the wild.
Jason Miller, manager of research and development at VMware, said: “We are seeing for the first time in a long time that Microsoft has gone consecutive months with a cumulative security update for Internet Explorer. Typically, we can expect an update to Microsoft's Internet Explorer browser every other month.”
Patch MS12-043 addresses one issue in the XML core services, affecting all supported versions of Windows. Andrew Storms, director of security operations for nCircle, said: “The most important patch this month is undoubtedly the XML core services bug. Microsoft issued an advisory for this bug in early June and we've already seen the exploit in a number of exploit toolkits and attacks have been reported in the wild.
“If you are paying close attention, you'll notice that the XML version five patch for the bug isn't shipping today. The fix for this version is probably not ready yet, so Microsoft decided to deliver the other patches. So far, all the attacks in the wild utilise XML version three, so this release, even though not totally complete, seems like a no-brainer.”
Miller also said that this is the most important bulletin this month, as it is a zero-day. “During the June 2012 Patch Tuesday, Microsoft released a security advisory stating they were aware of active but limited attacks against vulnerability in Microsoft XML Core Services,” he said.
“In the past week, the code for this exploit has been made public, making this patch even more important in terms of severity. With this vulnerability, a user who browses to a malicious website with Internet Explorer can result in remote code execution.”
The final critical patch is MS12-045, an update for the Microsoft Data Access Components (MDAC) that exists in all versions of Windows. Miller said: “Similar to the previous security bulletins mentioned, navigating to a malicious website with an unpatched system can result in remote code execution. In addition, a user opening a Microsoft Office document with a malicious embedded ActiveX control can result in remote code execution.”
The remaining patches are rated as ‘important'. Kandek said that MS12-046 deserves special attention, primarily if you have machines that are configured for Asian character input.
He said: “The bulletin addresses a remote code execution vulnerability in Microsoft Office through the IMESHARE.dll, which is used in multi-byte character input. We generally believe that Office vulnerabilities that allow for remote code execution deserve a rating higher than ‘important'.”
Ziv Mador, director of security research at Trustwave SpiderLabs, said: “If you open a perfectly good Microsoft office file (such as a .docx) that just happens to have specially crafted DLL in the same directory, an attacker can then do all kinds of nasty things such as delete files, create new accounts, etc. and if you're logged in as admin, well, then the bad guys basically own the whole box.
“If you have Visual Basic for Applications SDK, or third party applications that use MS VBA, or even one of several different versions of MS office installed you will need this update. Since this one has been seen in the wild you will want to apply this update as soon as you can."