Beyondtrust

BeyondTrust Patch Tuesday

August 14, 2012

Microsoft Patch Summary

This month, Microsoft released 9 patches that repair a total of 26 unique CVEs. Of these vulnerabilities, there were 24 remote code execution vulnerabilities, 1 elevation of privilege vulnerability, and 1 denial of service vulnerability.

Administrators are advised to patch MS12-058 and MS12-060 immediately, since they are the most severe of the critical bulletins. Next, administrators should patch MS12-052, MS12-053, and MS12-054 immediately after the first two bulletins, to prevent exploitation by attackers. Finally, administrators should patch MS12-055, MS12-056, MS12-057, and MS12-059 as soon as possible. As always, BeyondTrust suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the BeyondTrust Security Research Team.
Register Now >>

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The BeyondTrust Research Team
  • Date/Time: Wednesday, August 15th
    1pm PT / 4pm ET / 9pm GMT

BULLETIN / ADVISORY DETAILS

MS12-052

Cumulative Security Update for Internet Explorer (2722913)


Microsoft Rating:

Critical

CVE List:

CVE-2012-1526, CVE-2012-2521, CVE-2012-2522, and CVE-2012-2523

 

Analysis:

This bulletin addresses 4 privately reported remote code execution vulnerabilities in Internet Explorer. The patch fixes memory corruption vulnerabilities that occur when Internet Explorer attempts to access an object that has not been initialized or has already been deleted, or accesses a corrupted virtual function table. An attacker that successfully exploited these vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS12-053

Vulnerability in Remote Desktop Could Allow Remote Code Execution (2723135)


Microsoft Rating:

Critical

CVE:

CVE-2012-2526

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Windows XP SP3. The patch fixes a use-after-free vulnerability that occurs when the Remote Desktop Protocol accesses an object in memory that has already been deleted. An attacker that successfully exploited this vulnerability would gain System level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block TCP port 3389 at the perimeter firewall. Additionally, disable Remote Desktop if the service is no longer used.

 

MS12-054

Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)


Microsoft Rating:

Critical

CVE List:

CVE-2012-1850, CVE-2012-1851, CVE-2012-1852, and CVE-2012-1853

 

Analysis:

This bulletin addresses 4 privately reported vulnerabilities composed of 1 denial of service vulnerability and 3 remote code execution vulnerabilities in Windows XP through 7, and Windows Server 2003 through 2008 R2. The patch fixes multiple memory corruption vulnerabilities that occur when Windows networking components mishandle specially crafted requests and responses. An attacker that successfully exploited these vulnerabilities would gain System level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, disable the Print Spooler service if printing is not used.

 

MS12-055

Vulnerability in Windows Kernal-Mode Drivers Could Allow Elevation of Privilege (2731847)


Microsoft Rating:

Important

CVE:

CVE-2012-2527

 

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in Windows XP through 7, and Windows Server 2003 through 2008 R2. The patch fixes a memory vulnerability that occurs when the Windows kernel-mode driver mishandles objects in memory. A local attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS12-056

Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution (2706045)


Microsoft Rating:

Important

CVE:

CVE-2012-2523

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in 64-bit versions of Windows XP, Server 2003, Vista, 7 and Server 2008. The patch fixes a memory corruption vulnerability that occurs when the JScript engine miscalculates the size of an object in memory that is later used in a copy operation. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, configure Internet Explorer to run in 32-bit mode, or block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS12-057

Vulnerability in Microsoft Office Could Allow Remote Code Execution (2731879)


Microsoft Rating:

Important

CVE:

CVE-2012-2524

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Office 2007 and 2010. The patch fixes a memory corruption vulnerability that occurs when Office mishandles specially crafted CGM files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, do not open Office files that contain CGM files, or embed CGM files that came from untrusted sources.

 

MS12-058

Vulnerabilities in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution (2740358)


Microsoft Rating:

Critical

CVE:

CVE-2012-1766, CVE-2012-1767, CVE-2012-1768, CVE-2012-1769, CVE-2012-1770, CVE-2012-1771, CVE-2012-1772, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, CVE-2012-3109, and CVE-2012-3110

 

Analysis:

This bulletin addresses multiple publicly reported remote code execution vulnerabilities in Exchange 2007 and 2010. The patch fixes parsing vulnerabilities that occur when certain Oracle Outside In libraries are used to preview a document in the browser. An attacker that successfully exploited this vulnerability would gain LocalService level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, disable WebReady document view.

 

MS12-059

Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2733918)


Microsoft Rating:

Important

CVE:

CVE-2012-1888

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Visio. The patch fixes a memory corruption vulnerability that occurs when Visio mishandles memory when parsing specially crafted Visio files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, do not open Visio files that come from untrusted sources.

 

MS12-060

Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)


Microsoft Rating:

Critical

CVE:

CVE-2012-1856

 

Analysis:

This bulletin addresses a privately reported remote code execution in Windows common controls, which is found in Office 2003 through 2010, SQL Server 2000 Analysis Services, SQL Server 2000 (except Itanium versions), SQL Server 2005 (excluding Express Edition except for Express Edition with Advanced Services), SQL Server 2008 and 2008 R2, Commerce Server 2002, 2007, 2009 and 2009 R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 and 9.0, and the Visual Basic 6.0 Runtime. The patch fixes a system state corruption vulnerability that occurs when a certain ActiveX control is used. An attacker that successfully exploited this vulnerability would gain user level access to the target machine. Note: reports indicate that this vulnerability has been exploited in the wild.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, set a kill bit, 1EFB6596-857C-11D1-B16A-00C0F0283628, to stop Internet Explorer from running the vulnerable ActiveX control, prevent ActiveX controls from running in Office 2007 and 2010, block Office 2003 and earlier files, or block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones within Internet Explorer.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.