BeyondTrust Patch Tuesday
May 08, 2012
Microsoft Patch Summary
This month, Microsoft released 7 bulletins that fix a total of 23 vulnerabilities. Of these vulnerabilities, there were 16 remote code execution vulnerabilities, 5 elevation of privilege vulnerabilities, 1 security bypass, and 1 denial-of-service vulnerability.
Patch MS12-029, MS12-034, and MS12-035 immediately to prevent exploitation by attackers. Patch MS12-030, MS12-031, MS12-032, and MS12-033 as soon as possible. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The eEye Research Team
- Date/Time:
Wednesday, May 9th
1pm PT / 4pm ET / 9pm GMT
BULLETIN / ADVISORY DETAILS
MS12-029
Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352)
Microsoft Rating:
CVE:
CVE-2012-0183
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Word. The patch fixes a memory corruption vulnerability that occurs when Word parses certain RTF files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, read emails in plain text and use the Microsoft Office File Block Policy to block RTF documents that originate from potentially unsafe sources.
MS12-030
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2663830)
Microsoft Rating:
CVE List:
CVE-2012-0141, CVE-2012-0142, CVE-2012-0143, CVE-2012-0184, CVE-2012-0185, and CVE-2012-1847
Analysis:
This bulletin addresses multiple remote code execution vulnerabilities in Microsoft Excel: 1 was publicly reported (CVE-2012-0143) and 5 were privately reported. The patch fixes multiple memory corruption vulnerabilities, a heap overflow vulnerability, and a parsing type mismatch, which all occur when a file is being parsed by Excel. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Deploy patches as soon as possible. Until the patch can be applied, do not open files that are not from trusted sources. If files not from trusted sources must be opened, use MOICE. Additionally, block Excel 2003, 2007, and 2010 files if they fail validation.
MS12-031
Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2597981)
Microsoft Rating:
CVE:
CVE-2012-0018
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Visio Viewer 2010. The patch fixes a memory corruption vulnerability that occurs when opening VSD files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Deploy patches as soon as possible. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.
MS12-032
Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338)
Microsoft Rating:
CVE List:
CVE-2012-0174 and CVE-2012-0179
Analysis:
This bulletin addresses a publicly reported elevation of privilege vulnerability and a privately reported firewall bypass vulnerability in the Windows TCP/IP implementation. The patch fixes a vulnerability that allows attackers to bypass outbound firewall rules in the Windows Firewall. Additionally, the patch fixes a vulnerability arising from an issue regarding binding IPv6 addresses to a local interface. An attacker that successfully exploited the binding vulnerability would gain system level access to the target machine.
Recommendation:
Deploy patches as soon as possible; no mitigation is available.
MS12-033
Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege (2690533)
Microsoft Rating:
CVE:
CVE-2012-0178
Analysis:
This bulletin addresses a privately reported elevation of privilege vulnerability in the Windows Partition Manager. The patch fixes how the Partition Manager handles device relations requests, which produces a vulnerable condition when two or more processes and/or threads call certain Plug and Play Configuration Manager functions simultaneously. A local attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.
Recommendation:
Deploy patches as soon as possible; no mitigation is available.
MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
Microsoft Rating:
CVE List:
CVE-2011-3402, CVE-2012-0159, CVE-2012-0162, CVE-2012-0164, CVE-2012-0165, CVE-2012-0167, CVE-2012-0176, CVE-2012-0180, CVE-2012-0181, and CVE-2012-1848
Analysis:
This bulletin addresses 3 publicly reported vulnerabilities (CVE-2012-0181, CVE-2012-0164, and CVE-2011-3402) and 7 privately reported vulnerabilities. These are composed of 6 remote code execution vulnerabilities, 3 elevation of privilege vulnerabilities, and 1 denial-of-service vulnerability. The patch fixes vulnerabilities in TrueType, the .NET Framework, GDI+, Silverlight, Windows and Messages handling, keyboard layout files, and scrollbar calculations. An attacker that successfully exploited the most severe of these vulnerabilities would gain the ability to execute remote code in the kernel's context.
Recommendation:
Install the patch immediately to prevent exploitation by attackers, since no mitigation exists for CVE-2011-3402, CVE-2012-0164, CVE-2012-0180, CVE-2012-0181, or CVE-2012-1848. Until the patch can be installed, prevent access to t2embed.dll, block XAML browser applications from running in Internet Explorer, and prevent metafile processing. Additionally, prevent the Silverlight ActiveX control from running in Internet Explorer, and prevent Silverlight from running in Firefox and Chrome.
MS12-035
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)
Microsoft Rating:
CVE List:
CVE-2012-0160 and CVE-2012-0161
Analysis:
This bulletin addresses two privately reported remote code execution vulnerabilities in the .NET Framework. The patch fixes the serialization process within the .NET Framework, which incorrectly treats certain untrusted data as trusted data. The patch also fixes the way the .NET Framework handles an exception while serializing objects. An attacker that successfully exploited these vulnerabilities would be able to execute code in the context of the compromised .NET application.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block partially trusted .NET applications and block XAML browser applications from running in Internet Explorer.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.