Another month, another Patch Tuesday. This one has seven bulletins three of which are rated critical covering a couple of dozen CVEs. Microsoft thinks that exploit code will eventually be written for most of them as well. Of course if you have Auto Update turned on you should be covered, if you don’t plan to apply these patches as soon as you can.
Remote Desktop Protocol Vulnerability
RDP seems to be getting hit quite a bit lately, which is understandable, once you have one big vulnerability in a service a lot of people tend to look at it and then find even more. Ever since MS12-020 a lot of people have been knocking on RDPs door. It is an attractive target and one that many people leave unsecured for convenience. This vulnerability will cause a denial of service and in some cases even remote code execution if RDP receives a specially crafted packet. This patch modifies the way RDP processes packets in memory, which addresses the vulnerability. Microsoft thinks that exploit code for this one is likely and because of that it is rated as critical. This update will be offered to systems even if they do not have RDP enabled but it will not be offered to older systems such as XP SP2 or Server 2003 SP1. So if you are running RDP on something old(ish) you will want to make sure you have RDP disabled. You should also look into blocking port 3389 on your firewall which will help prevent attacks from the Internet.
Cumulative Security Update for Internet Explorer
CVE2012-1523 CVE2012-1858 CVE2012-1872 CVE2012-1873 CVE2012-1874
CVE2012-1880 CVE2012-1881 CVE2012-1882
Wow, look at all those CVE numbers! This cumulative update really packs them in, fixing not one, not two, but thirteen different vulnerabilities. The worst of which could allow remote code execution if a user views a specially crafted webpage. The attack only gets the system privileges of the locally logged in user but if that user happens to be an administrator, well, game over. The various vulnerabilities affect all versions from IE 6 up to and including IE 9. The fixes here involve everything from the way that Internet Explorer handles objects in memory, HTML sanitization using toStaticHTML, the way that Internet Explorer renders data during certain processes, and the way that Internet Explorer creates and initializes strings.
Remote Code Execution in .NET
This one looks particularly nasty. If you have certain versions of the .NET framework installed the improper execution of a function pointer could allow an attacker to execute code remotely. This means that any web page, or advertisement, or any site that can host user-provided content could potentially take advantage of this vulnerability. This issue does not affect IE on Server 2003, 2008 and 2008 R2 since those versions already run under an Enhanced Security Configuration, which should protect you in this case. If you can’t apply this patch for whatever reason you will want to disable XAML browser applications. The settings are in the Internet Options on the Security tab. You will want to disable Loose XAML, XAML Browser Applications and XPS documents. You will also want to only run components signed with Authenticode. Don’t forget to change the setting under Local Intranet as well.
Remote Code Execution in Lync
CVE2011-3402 CVE2012-0159 CVE2012-1849 CVE2012-1858
You might notice that one of those CVE numbers starts with 2011 and think, whoa, this has been around since last year? That may or may not be the case, CVE numbers are often reserved while a researcher actively works on a potential vulnerability and it may take them some time to complete the research so the fact that the CVE number is little dated should not be a big concern.
Once again we have the potential for remote code execution this time centered on how Microsoft Lync handles True Type fonts. If you haven’t heard of Lync its Microsoft’s corporate messaging system, think Skype but as a part of Microsoft Office. (Wait, didn’t Microsoft buy Skype?) Lync has issues with loading external libraries which a specially crafted True Type font can take advantage of. This one is very similar to MS12-037 listed above but for Lync instead of IE.
MS Dynamics AX Enterprise Portal Elevation of Privilege
This one deals with the Microsoft ERP solution Dynamics AX - specifically the Enterprise Portal. Security researchers found an instance of XSS in a portion of the portal, which is made more serious by the fact that Internet Explorer 8 & 9 will let down their XSS countermeasures when interacting with this product. This happens due to the default settings for the "Intranet Zone", which disable a number of countermeasures in favor of compatibility. Dumb stupid Intranets.
The patch resolves this flaw in Dynamics by properly sanitizing user input, preventing XSS social engineering attacks via common vectors such as malicious email and websites.
Kernel-Mode Drivers allow Elevation Privilege
CVE2012-1864 CVE2012-1865 CVE2012-1866
This update covers five vulnerabilities covered by three CVE’s all of which result in the possibility of an elevation of privilege if exploited by a locally logged in user. The problems are in how Windows kernel-mode drivers (specifically win32k.sys) validate input passed from user mode and handle TrueType font loading, and by introducing additional runtime validation to the thread creation mechanism. Microsoft hasn’t seen any of these vulnerabilities being exploited in the wild, yet, but they expect to.
Windows Kernel Elevation Privilege
MS12-041 is a two-fer fixing two CVEs with just one update. In both cases the end result is an elevation of privilege, so any user who has local access to a system could run a specially crafted application and get System Administrator privileges, which basically mean they own the box and can do anything they want. The issues lie with the Windows User Mode Scheduler and in the way that Windows manages the BIOS ROM. The BIOS vulnerability only effects XP SP3 and Server 2003 SP2 while the Scheduler vulnerability only impacts x64 versions of Win7 and Sever 2008 R2 on Intel, so if you are running on 32-bit CPUs, you’re safe from this one. Microsoft says that it hasn’t seen either of these vulnerabilities being exploited in the wild, yet, but they do expect that exploit code will be written for them.
That’s it for this month. Not to bad comparatively speaking. We will be back next month with another analysis.