In short: Get MS12-043, MS12-045, and, if running IE9, MS12-044 patched and get back to that game of Where's My Water?
Not sure if you are one of the unlucky ones still at risk of a zeroday within MSXML 5.0? Here is a quick breakdown: Office 2003 and 2007, Office Word Viewer, Expression Web Edition, Office SharePoint Server 2007, and Groove Server 2007. The good news (dare I say context?), however, is that MSXML 5.0 is not on the pre-approved controls list and therefore gives a big warning to users who browse to a site that tries to load the MSXML 5.0 ActiveX control.
MSXML 0day fixed?
This month’s Patch Tuesday bulletins bring an end to a zeroday vulnerability within MSXML that was first announced towards the beginning of June. Specifically MS12-043 has the fix that IT folks have been waiting a month for, while exploits have floated around, even within popular exploit toolkits. That is unless of course you are one of the unlucky people using MSXML 5.0, which Microsoft has not released a fix for as they are still finishing their testing.
Not sure if you are one of the unlucky ones still at risk of a zeroday within MSXML 5.0? Here is a quick breakdown: Office 2003 and 2007, Office Word Viewer, Expression Web Edition, Office SharePoint Server 2007, and Groove Server 2007. The good news (dare I say context?), however, is that MSXML 5.0 is not on the pre-approved controls list and therefore gives a big warning to users who browse to a site that tries to load the MSXML 5.0 ActiveX control.
Tasty MDAC treat
Another stand out security bulletin this month is MS12-045, which covers a vulnerability within MDAC. MDAC is something that has been exploited plenty of times in the past, including CVE-2006-0003, which was leveraged by the vast majority of exploit toolkits. This new MDAC vulnerability looks to be something that also will make its way into exploit toolkits sooner rather than later given that it affects most OS’s and is straightforward to exploit.IE 9 Wins!
Internet Explorer 9 is not only the “faster browser” this month, but also the fastest way to get you owned. MS12-044 specifically covers a critical vulnerability that affects only Internet Explorer 9. We are always a big fan of vulnerabilities that only exist in the latest versions of Microsoft software vs. older ones. It is almost some sort of karmic payback for the number of times Microsoft has decided to patch only new versions of their software (during internal code audits) vs. back porting those fixes to older, yet still supported, versions of their software. Picture slow motion paint being dropped on some IT guy’s head while “cyber criminals” steal the company goods specifically because of IE 9. That being said, you are still better off with IE9 than any of the previous versions of IE, so if you are working in IT, don’t let your corporate overlords use this as an excuse of why Internet Explorer 6 still makes sense—we remember what happened to Google, right?Windows 8 sneak peak?
Another notable aspect of this Patch Tuesday is the fact that Microsoft has highlighted MS12-043 and MS12-044 as affecting the Windows 8 Consumer Preview. It is an interesting glimpse into the future to know that the critical MS12-043 (MSXML vulnerability) would have affected Windows 8 as well as the Internet Explorer vulnerability covered in MS12-044. Now just because the software versions were affected does not mean that exploitation would be as straightforward under Windows 8 vs. older operating systems. Only time will tell how well Windows 8 fairs, but certainly the fact that two of the nine bulletins released today affect Windows 8 is an interesting view of what may come in the future.DLL Preloading (Make it stop, please.)
And no Patch Tuesday would be complete without an obligatory DLL Preloading vulnerability, which this July 2012 PT serves up within bulletins MS12-046. I do not really know what to say here except that if you are still allowing WebDAV through your perimeter, then your IT friends should make fun of you in the same vein that we “pity the fool” that would have been affected by DNSChanger (i.e. users running as Admin, not restricting egress DNS to known servers, etc…). Interestingly enough, there is another vulnerability MS12-048 that, while not DLL Preloading, is also partially mitigated through a lot of the same techniques we have previously recommended in mitigating DLL Preloading.
Wrap-Up and Vulnerability Expert Forum
Rounding out the rest of the bulletins for this month is a critical privilege escalation vulnerability (MS12-047) (which has probably been roaming “power plants” for a while), another SharePoint XSS vulnerability in MS12-050, and finally a less exciting Office for Mac vulnerability in bulletin MS12-051. Don’t forget that tomorrow is our Vulnerability Expert Forum in which the BeyondTrust research team will be discussing this latest Patch Tuesday, as well as other interesting developments in security. You can sign up for the VEF here.