Beyondtrust

BeyondTrust Patch Tuesday

June 12, 2012

Microsoft Patch Summary

This month, Microsoft released 7 patches that address 26 distinct CVEs. Of these vulnerabilities, there were 14 remote code execution vulnerabilities, 7 elevation of privilege vulnerabilities, 4 information disclosure vulnerabilities, and 1 cross-site scripting vulnerability. Blog post, "Patch Tuesday June 2012: RDP broken, again. Stuxnet TTF", was just released earlier today by the Research Team about this month's Patch Tuesday.

Administrators are advised to patch MS12-036, MS12-037, and MS12-038 immediately to prevent exploitation by attackers. Next, administrators should patch MS12-039, MS12-040, MS12-041, and MS12-042 as soon as possible. As always, BeyondTrust suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the BeyondTrust Security Research Team.

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The BeyondTrust Research Team
  • Date/Time: Wednesday, June 13th
    1pm PT / 4pm ET / 9pm GMT

BULLETIN / ADVISORY DETAILS

MS12-036

Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)


Microsoft Rating:

Critical

CVE:

CVE-2012-0173

 

Analysis:

This bulletin addresses 1 privately reported remote code execution vulnerability in Microsoft Remote Desktop Protocol. The patch fixes how Windows handles a maliciously crafted sequence of packets, which could cause a user-after-free condition to occur. A remote attacker that successfully exploited this vulnerability would gain system level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block port 3389 at the perimeter firewall. Additionally, disable Terminal Services, Remote Desktop, Remote Assistance, and Remote Web Workplace if these services are no longer used.

 

MS12-037

Cumulative Security Update for Internet Explorer (2699988)


Microsoft Rating:

Critical

CVE List:

CVE-2012-1523, CVE-2012-1858, CVE-2012-1872, CVE-2012-1873, CVE-2012-1874, CVE-2012-1875, CVE-2012-1876, CVE-2012-1877, CVE-2012-1878, CVE-2012-1879, CVE-2012-1880, CVE-2012-1881, and CVE-2012-1882

 

Analysis:

This bulletin addresses 1 publicly disclosed vulnerability and 12 privately reported vulnerabilities, composing 9 remote code execution vulnerabilities and 4 information disclosure vulnerabilities in Internet Explorer. The patch fixes memory corruptions, cross-site scripting vulnerabilities, a character handling mechanism, a cross-domain access vulnerability, and an issue that allows reading from Internet Explorer's process memory. An attacker that successfully exploited one of the remote code execution vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS12-038

Vulnerability in .Net Framework Could Allow Remote Code Execution (2706726)


Microsoft Rating:

Critical

CVE:

CVE-2012-1855

 

Analysis:

This bulletin addresses 1 privately reported remote code execution vulnerability in the .NET Framework. The patch fixes the way a certain function pointer is executed. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block XAML browser applications from running in Internet Explorer.

 

MS12-039

Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)


Microsoft Rating:

Important

CVE List:

CVE-2011-3402, CVE-2012-0159, CVE-2012-1849, and CVE-2012-1858

 

Analysis:

This bulletin addresses 1 publicly reported vulnerability and 3 privately reported vulnerabilities, composing 3 remote code execution vulnerabilities and 1 information disclosure vulnerability in Microsoft Lync. The patch fixes 2 vulnerabilities related to TrueType font parsing, 1 insecure library loading vulnerability, and 1 cross-site scripting vulnerability. An attacker that successfully exploited any of the remote code execution vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available for CVE-2011-3402, CVE-2012-0159, and CVE-2012-1858. Until the patch can be installed, CVE-2012-1849 can be mitigated by blocking ports 139 and 445 at the perimeter firewall, preventing the WebClient service from running, and preventing DLLs from being loaded from WebDAV and remote shares.

 

MS12-040

Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100)


Microsoft Rating:

Important

CVE:

CVE-2012-1857

 

Analysis:

This bulletin addresses 1 privately reported cross-site scripting vulnerability in Dynamics AX Enterprise Portal. The patch fixes an issue that would allow JavaScript to be run in the user's browser if the user had browsed to a malicious URL. This could lead to either information disclosure or elevation of the attacker's privileges. If the attacker successfully exploited this vulnerability, they would gain the ability to execute JavaScript with the target user's rights.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, enable the XSS filter in Internet Explorer (available in IE 8 and newer).

 

MS12-041

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilge (2709162)


Microsoft Rating:

Important

CVE List:

CVE-2012-1864, CVE-2012-1865, CVE-2012-1866, CVE-2012-1867, and CVE-2012-1868

 

Analysis:

This bulletin addresses 5 privately reported elevation of privilege vulnerabilities in Windows Kernel-Mode drivers. The patch fixes elevation of privilege vulnerabilities that occur when loading TrueType fonts and when handling input from user mode. A local attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches at the earliest convenience; no mitigation is available.

 

MS12-042

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)


Microsoft Rating:

Important

CVE List:

CVE-2012-0217 and CVE-2012-1515

 

Analysis:

This bulletin addresses 1 privately reported vulnerability and 1 publicly reported vulnerability, both of which are elevation of privilege vulnerabilities in the Windows Kernel. The patch fixes how the User Mode Scheduler handles a certain system request. It also fixes a part of the Windows Kernel that directly relates to Derek Soeder's VMware Backdoor ROM Overwrite vulnerability. A local attacker that successfully exploited either of these vulnerabilities would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.