Beyondtrust

BeyondTrust Patch Tuesday

November 13, 2012

Microsoft Patch Summary

This month, Microsoft released six patches that repair a total of 19 vulnerabilities. Of these vulnerabilities, there were 12 remote code execution vulnerabilities, four elevation of privilege vulnerabilities, and three information disclosure vulnerabilities.

Administrators are advised to patch MS12-071, MS12-072, MS12-074, and MS12-075 immediately to prevent exploitation by attackers. Next, administrators should patch MS12-076 as soon as possible. Lastly, administrators should patch MS12-073 at their earliest convenience. As always, BeyondTrust suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the BeyondTrust Security Research Team.
Register Now >>

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The BeyondTrust Research Team
  • Date/Time: Wednesday, Nov 14th
    1pm PT / 4pm ET / 9pm GMT

BULLETIN / ADVISORY DETAILS

MS12-071

Cumulative Security Update for Internet Explorer (2761451)


Microsoft Rating:

Critical

CVE List:

CVE-2012-1538, CVE-2012-1539, and CVE-2012-4775

 

Analysis:

This bulletin addresses three privately reported remote code execution vulnerabilities in Internet Explorer 9. The patch fixes three use-after-free vulnerabilities that occur when Internet Explorer accesses in-memory objects that are either deleted or uninitialized. An attacker that successfully exploited any of these vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS12-072

Vulnerabilities in Windows Shell Could Allow Remote Code Execution (2727528)


Microsoft Rating:

Critical

CVE List:

CVE-2012-1527 and CVE-2012-1528

 

Analysis:

This bulletin addresses two privately reported remote code execution vulnerabilities in Windows Shell, specifically within Windows Briefcase. The patch fixes an integer underflow and an integer overflow that can occur when opening specially crafted briefcases. An attacker that successfully exploited either of these vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, remove the Briefcase namespace shell extension from the registry.

 

MS12-073

Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure (2733829)


Microsoft Rating:

Moderate

CVE List:

CVE-2012-2531 and CVE-2012-2532

 

Analysis:

This bulletin addresses one privately and one publicly disclosed information disclosure vulnerability in Microsoft Internet Information Services. The patch fixes a password disclosure vulnerability that occurs when improperly managing a log file's permissions. It also fixes a FTP command injection vulnerability that occurs when handling specially crafted FTP commands. An unauthenticated attacker that successfully exploited the FTP command injection vulnerability would be able to disclose information not normally available to unauthenticated users.

 

Recommendation:

Deploy patches at the earliest convenience; no mitigation is available for CVE-2012-2532. Until the patch can be installed, CVE-2012-2531 can be mitigated by the following: 1) make sure the “Operational” log is disabled when adding custom accounts to an Application Pool (it can be enabled before or after adding custom accounts), 2) simply use built in account identities rather than adding custom accounts, and 3) block non-administrator accounts from having access to the EventViewer snap-in.

 

MS12-074

Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2745030)


Microsoft Rating:

Critical

CVE List:

CVE-2012-1895, CVE-2012-1896, CVE-2012-2519, CVE-2012-4776, and CVE-2012-4777

 

Analysis:

This bulletin addresses five privately reported vulnerabilities in the .NET Framework. The patch fixes two elevation of privilege vulnerabilities, two remote code execution vulnerabilities, and an information disclosure vulnerability. These vulnerabilities are caused by improper permission enforcement during reflection, insecure DLL library loading, improper sanitization of data returned to partially trusted code, and a lack of validation prior to executing default web proxy settings files that contain JavaScript. An attacker that successfully exploited the most severe of these vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers; no mitigation exists for CVE-2012-1896. Until the patch can be installed, block XAML browser applications from running in Internet Explorer. Additionally, prevent the Silverlight ActiveX control from running in Internet Explorer, and prevent Silverlight from running in Firefox and Chrome. To mitigate the insecure library loading vulnerability, block ports 139 and 445 at the perimeter firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares. To mitigate the web proxy auto-discovery vulnerability, disable web proxy auto-discovery in Internet Explorer. As a defense-in-depth measure, register web proxy auto-discovery to prevent attackers from taking advantage of systems and applications that still rely on default proxy settings.

 

MS12-075

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2761226)


Microsoft Rating:

Critical

CVE List:

CVE-2012-2530, CVE-2012-2553, and CVE-2012-2897

 

Analysis:

This bulletin addresses three privately reported vulnerabilities, composed of two elevation of privilege vulnerabilities and one remote code execution vulnerability in Windows kernel-mode drivers. The patch fixes two use-after-free vulnerabilities and a font parsing vulnerability. An attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches immediately; no mitigation is available.

 

MS12-076

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2720184)


Microsoft Rating:

Important

CVE List:

CVE-2012-1885, CVE-2012-1886, CVE-2012-1887, and CVE-2012-2543

 

Analysis:

This bulletin addresses four privately reported remote code execution vulnerabilities in Microsoft Excel. The patch fixes a heap overflow, memory corruption, use-after-free vulnerability, and a stack overflow vulnerability that all occur when parsing Excel files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be applied, block Office Excel 2003 and 2007 files that fail validation, block Office 2003 and earlier files from untrusted sources, use MOICE when opening files that are not from trusted sources, and disable editing in protected view of documents that fail validation in Excel 2010.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.