Beyondtrust

BeyondTrust Patch Tuesday

July 10, 2012

Microsoft Patch Summary

This month, Microsoft released 9 patches that repair a total of 16 vulnerabilities. Of these vulnerabilities, there were 6 remote code execution vulnerabilities, 6 elevation of privilege vulnerabilities, and 4 information disclosure vulnerabilities.

Administrators are advised to patch MS12-043, MS12-044, and MS12-045 immediately to prevent exploitation by attackers. Lastly, administrators should patch MS12-046, MS12-047, MS12-048, MS12-049, MS12-050, and MS12-051 as soon as possible. As always, BeyondTrust suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the BeyondTrust Security Research Team.
Register Now >>

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The BeyondTrust Research Team
  • Date/Time: Wednesday, July 11th
    1pm PT / 4pm ET / 9pm GMT

BULLETIN / ADVISORY DETAILS

MS12-043

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)


Microsoft Rating:

Critical

CVE:

CVE-2012-1889

 

Analysis:

This bulletin addresses a publicly disclosed remote code execution vulnerability in Microsoft XML Core Services. The patch fixes a memory corruption vulnerability that occurs when MSXML tries to access an in-memory object that has not been properly initialized. An attacker that successfully exploited this vulnerability could execute code on the target machine with user level rights. Note: public exploit code has been released that reliably exploits this vulnerability. Additionally, popular exploit toolkits have added exploits for this vulnerability to their collections.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, install the Microsoft Fix it solution (support.microsoft.com/kb/2722479), which will mitigate the attack vector for MSXML 5.0. Additionally, block/disable Active Scripting in both Internet and Local intranet zones, and set a killbit on the vulnerable MSXML 5.0 GUID (88d969e5-f192-11d4-a65f-0040963251e5) in the registry.

 

MS12-044

Cumulative Security Update for Internet Explorer (2719177)


Microsoft Rating:

Critical

CVE List:

CVE-2012-1522 and CVE-2012-1524

 

Analysis:

This bulletin addresses 2 privately reported vulnerabilities, both of which are remote code execution vulnerabilities in Internet Explorer. The patch fixes 2 use-after-free vulnerabilities that occur when Internet Explorer tries to use in-memory objects that have been deleted. An attacker that successfully exploited this vulnerability could execute code on the target machine with user level rights.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS12-045

Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (2698365)


Microsoft Rating:

Critical

CVE:

CVE-2012-1891

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Data Access Components (MDAC). The patch fixes an uninitialized variable usage vulnerability that occurs when processing XML code. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS12-046

Vulnerability in Visual Basic for Applications Could Allow Remote Code Execution (2707960)


Microsoft Rating:

Important

CVE:

CVE-2012-1854

 

Analysis:

This bulletin addresses a publicly disclosed remote code execution vulnerability in Visual Basic for Applications. The patch fixes an insecure library loading vulnerability. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 at the perimeter firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

 

MS12-047

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523)


Microsoft Rating:

Important

CVE List:

CVE-2012-1890 and CVE-2012-1893

 

Analysis:

This bulletin addresses a publicly disclosed and a privately reported vulnerability, both of which are elevation of privilege vulnerabilities in Windows Kernel-Mode Drivers. The patch fixes how win32k.sys loads keyboard layout files and also fixes how the kernel validates parameters that are used in the creation of a hook procedure. A local attacker that successfully exploited this vulnerability would be able to elevate their privileges to system level.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS12-048

Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442)


Microsoft Rating:

Important

CVE:

CVE-2012-0175

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Windows Shell. The patch fixes how the shell handles specially crafted filenames and directories. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS12-049

Vulnerability in TLS Could Allow Information Disclosure (2655992)


Microsoft Rating:

Important

CVE:

CVE-2012-1870

 

Analysis:

This bulletin addresses a publicly disclosed information disclosure vulnerability in Transport Layer Security (TLS). The patch fixes a design flaw in the TLS protocol, specifically when the Cipher-block chaining operating mode is used. An attacker that successfully exploited this vulnerability would be able to decrypt encrypted traffic that has been intercepted by the attacker.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available for Windows XP or Server 2003 systems. Until the patch can be installed, increase the priority of the RC4 algorithm on any server software running on Vista, Server 2008, 7, or Server 2008 R2.

 

MS12-050

Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502)


Microsoft Rating:

Important

CVE List:

CVE-2012-1858, CVE-2012-1859, CVE-2012-1860, CVE-2012-1861, CVE-2012-1862 and CVE-2012-1863

 

Analysis:

This bulletin addresses 1 publicly disclosed and 5 privately reported elevation of privilege vulnerabilities in SharePoint. The patch fixes multiple cross-site scripting vulnerabilities, information disclosure vulnerabilities, and elevation of privilege vulnerabilities. An attacker that successfully exploited the elevation of privilege vulnerabilities would gain the ability to execute actions on behalf of the user currently signed onto the SharePoint server.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS12-051

Vulnerability in Microsoft Office for Mac Could Allow Elevation of Privilege (2721015)


Microsoft Rating:

Important

CVE:

CVE-2012-1894

 

Analysis:

This bulletin addresses a publicly disclosed elevation of privilege vulnerability in Microsoft Office for Mac 2011. The patch fixes an issue with the directory permissions of certain Microsoft Office folders, which do not properly restrict write access. A local attacker that successfully exploited this vulnerability would gain the same permissions as any user that launched Office for Mac on the target machine.

 

Recommendation:

eploy patches as soon as possible. Until the patch can be installed, use chmod to restrict others from writing to the affected folders.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.