BeyondTrust Patch Tuesday
December 11, 2012
Microsoft Patch Summary
This month, Microsoft released seven patches that repair a total of 11 vulnerabilities. These patches address nine remote code execution vulnerabilities, a denial of service vulnerability, and a security feature bypass vulnerability.
Administrators are advised to patch MS12-077, MS12-078, MS12-079, MS12-080, and MS12-081 immediately to prevent exploitation by attackers. Last, administrators should patch MS12-082 and MS12-083 as soon as possible. As always, BeyondTrust suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the BeyondTrust Security Research Team.
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The BeyondTrust Research Team
- Date/Time:
Wednesday, Dec 12th
1pm PT / 4pm ET / 9pm GMT
BULLETIN / ADVISORY DETAILS
MS12-077
Cumulative Security Update for Internet Explorer (2761465)
Microsoft Rating:
CVE List:
CVE-2012-4781, CVE-2012-4782, and CVE-2012-4787
Analysis:
This bulletin addresses three privately reported remote code execution vulnerabilities in Internet Explorer. The patch fixes three use-after-free vulnerabilities that occur when handling objects in memory. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.
MS12-078
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2783534)
Microsoft Rating:
CVE List:
CVE-2012-2556, CVE-2012-4786
Analysis:
This bulletin addresses one privately reported remote code execution vulnerability and one publicly reported remote code execution vulnerability in Windows. The patch fixes memory corruption vulnerabilities that occur when a user opens a document that contains maliciously crafted OpenType or TrueType fonts. An attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ports 139 and 445 at the perimeter firewall, prevent the WebClient service from running, and disable both the Preview and Details Pane in Windows Explorer.
MS12-079
Vulnerability in Microsoft Word Could Allow Remote Code Execution (2780642)
Microsoft Rating:
CVE:
CVE-2012-2539
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Word. The patch fixes an RTF parsing vulnerability that occurs when Word attempts to parse specially crafted RTF formatted data. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. Until the patch can be applied, read emails in plaintext mode and use the File Block policy to prevent RTF documents from being opened if they came from untrusted sources.
MS12-080
Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2784126)
Microsoft Rating:
CVE List:
CVE-2012-3214/CVE-2012-3217 and CVE-2012-4791
Analysis:
This bulletin addresses one privately reported denial of service vulnerability and two publicly reported remote code execution vulnerabilities in Exchange. The patch fixes a denial of service vulnerability that occurs when Exchange mishandles a specially crafted RSS feed. Additionally, the patch fixes two memory corruption vulnerabilities that occur when Exchange previews a file attachment through via WebReady, for a user previewing a specially crafted document through Outlook Web Access. An attacker that successfully exploited the latter vulnerabilities would gain LocalService level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, prevent the WebReady service from running.
MS12-081
Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2758857)
Microsoft Rating:
CVE:
CVE-2012-4774
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in the Windows File Handling component. The patch fixes a memory corruption vulnerability that occurs when parsing specially crafted filenames or folder names. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers; no mitigation is available.
MS12-082
Vulnerability in DirectPlay Could Allow Remote Code Execution (2770660)
Microsoft Rating:
CVE:
CVE-2012-1537
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in DirectPlay. The patch fixes a memory corruption vulnerability that occurs when DirectPlay mishandles certain content embedded in a specially crafted Office document. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Deploy patch as soon as possible. Until the patch can be applied, block the opening of RTF files that come from untrusted sources, block Word 2003 and earlier files from untrusted sources, and disable ActiveX controls from running in Office 2007 and 2010.
MS12-083
Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass (2765809)
Microsoft Rating:
CVE:
CVE-2012-2549
Analysis:
This bulletin addresses a privately reported security feature bypass vulnerability in the IP-HTTPS component of Windows. The patch fixes a vulnerability that occurs when checking the validity of certificates. An attacker that successfully exploited this vulnerability could bypass a security feature that checks the validity of certificates.
Recommendation:
Deploy patches as soon as possible. Until the patch can be installed, determine which domain computer accounts are associated with revoked client certificates and disable those accounts.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.