As you install the nine updates that came out of Microsoft this month, five of which are critical with remote code execution, you should realize that no matter how complicated your network is someone else’s is more complicated. But, you say, I have servers on other continents with no one nearby to reboot them if things go poorly. Yeah, well, no one else has a server that’s at least 54 Million kilometers away and if it doesn’t come back up after a patch install is essentially a two and half billion-dollar brick. The team working on the Mars Rover Curiosity basically gets one shot to update the firmware on the rover, if anything goes wrong you basically have added one more very expensive rock to the surface of Mars. Think about that when you update your servers this month.
You know that feeling you get during those few minutes when you reboot a server after installing a patch and you anxiously wait for it to come back up so you can remote in and check to see if everything is working? There is always that sinking feeling you get jut before the VNC client connects when you think ‘Oh no, the patch broke it’ and then it just comes up and you breath that sigh of relief? Now imagine your dealing with a fifteen-minute delay and an eight-hour boot time. If it doesn’t come back up you can’t just walk back to the Server room and see what happened. Yeah, Mars is like that.
MS12-052 / KB2722913
Cumulative Security Update for Internet Explorer
CVE-2012-1526 CVE-2012-2521 CVE-2012-2523 CVE-2012-2522
If you are running IE8 you will also need to install MS12-056/KB2706045 (See below) to protect against CVE-2012-2523
MS12-054 / KB2733594
Remote Code Execution Windows Networking Components
CVE-2012-1850 CVE-2012-1851 CVE-2012-1852 CVE-2012-1853
Like 052 MS12-054 also covers four different vulnerabilities and again we have the possibility of remote code execution. Instead of issues with Internet Explorer these four impact Windows networking components, the most severe of which can be exploited with a specific response to a Windows print spooler request. The other three deal with a heap overflow, a stack overflow and a DoS in the Remote Administration protocol. The print spooler one is arguably the worst as not only can it allow RCE it can be implemented by a remote unauthenticated user. About the only thing you can do to protect yourself, other than installing the patch, is to disable the print spooler, but then you are still vulnerable to the Remote Administration protocol attacks, so umm, install the patch.
MS12-060 / KB2720573
Remote Code Execution Windows Common Controls
MS12-060 has already been disclosed publicly and Microsoft is aware of limited targeted attacks but they haven’t yet seen any proof of concept code. Considering this exploit results in Remote Code Execution we can probably expect PoC real soon now. This one does requires a bit of social engineering to exploit, as it requires a user to click a link, either on a web page, in an email, or in a message in Instant Messenger or to open an attachment. The issue is found in an ActiveX control in the MSCOMCTL.OCX file, specifically the TabStrip control which is a shared compented across multple MS Office products. There two different versions of the patch depending on which version of SQL Server you have installed, if you have automatic updates turned on it is smart enough to get the correct one. If you don’t have automatic updates check the MS knowledge base to determine your SQL Server version and which patch applies to you. There are some things you can do to mitigate this attack other than installing this patch but they involve editing the registry among other things, a lot easier to just install the patch.
MS12-053 / KB2723135
Remote Code Execution in Remote Desktop
We all remember MS12-020 and MS12-037 right? Well we have another one, MS12-053 also allows for the potential of Remote Code Execution in Remote Desktop. In this case a series of specially crafted RDP packets could result in RCE. If you don’t need remote desktop on your server disable it, which makes a lot of sense on paper but if your server is remote, say a few million miles away on say another planet that’s probably not all that feasible so at the very least if you can not install the patch at least block port 3389 at the firewall which should help against remote attacks, then you just need to worry about the internal ones. With there now being three possible vectors for attack it is only a matter of time before istherdpexploitoutyet.com will need to be updated with a big fat YES.
MS12-058 / KB2740358
Remote Code Execution in MS Exchange Server WebReady Document Viewing
I can hear system admins across the vastness of interplanetary space groan over this one. A publicly disclosed vulnerability with the potential for RCE, in Microsoft Exchange Server that requires a reboot? Altogether now, <groan>. While patching may be an inconvenience the vulnerability itself is pretty neat, it involves how the Outlook Web App (OWA) parses attachments for viewing via WebReady Document Viewing. OWA uses the Oracle Outside In libraries and this patch updates those libraries with a non-vulnerable version. If the Oracle Outside In libraries really interests you check out MS Security Advisory 273111 and CVE-2012-2525 which where addressed in an earlier patch but are related to this one. So now you're wondering if the problem is in an Oracle product why is Microsoft issuing the patch? Well, these are custom libraries that MS licenses from Oracle and Microsoft wants to protect all its Exchange customers so they issued the patch. Remember this one was released publicly but it hasn’t been seen in the wild, yet.
MS12-055 / KB2731847
Elevation of Privilege in Windows Kernel-Mode Drivers
Almost as popular as Internet Explorer is our old friend win32k.sys, which is used for just about everything from managing input devices such as your keyboard, your screen output, passing user messages to applications, and a bunch of other things. In this case if a user with a valid account runs a specially crafted application they can gain admin privileges and then of course control everything on the machine.
MS12-056 / KB2706045
Remote Code Execution in JScript and VBScript Engines
Yet another remote Code Execution but only for 64-bit versions of Windows. If a user visits a specially crafted webpage an attacker could take advantage of a flaw in the JScript and or VBScript engines. Be sure to check out MS12-052/2722913, also in this update, KB2706045 is for IE8 users and KB2722913 is for IE9 users, if you are running IE10 you’re golden. Of course if you have automatic updates turned on just let the system figure out which update you need.
MS12-057 / KB2731879
Remote Code Execution in Microsoft Office
This is another case where having automatic updates turned on will save you a lot of work as there are different update packages for different versions of Microsoft Office. You may even see these updates offered in Automatic Update if you don’t have MS Office installed. The affected code is also present in a lot of MS Office Viewer applications and while the viewer apps aren’t vulnerable themselves MS offers the update anyway just in case. The issue here is how Office handles Computer Graphics Metafiles or CGM and Word Perfect Graphic or WPG files. If successfully exploited the attacker could run arbitrary code as the current user which of course could lead to all sorts of nastiness such as creating admin accounts and other mayhem.
MS12-059 / KB2733918
Remote Code Execution in Microsoft Visio
I know what you’re thinking, this one is for Visio, and you specifically did not install Visio when you installed that Office suite and so you think you won’t need to install this patch. Well, you are wrong. If Visio was part of the MS Office Suite that you installed, even if you did not install Visio itself you will still be offered this update and you should probably go ahead and install it anyway. If your system is vulnerable to this exploit then all an attacker has to do is get you to open a specially crafted Visio file, that would most likely be via an email attachment but it could also be on a website that hosts third party content.
Hopefully all your servers safely reboot after you apply your patches as well as Curiosity. There are enough very expensive rocks on Mars already.
Researchers at Trustwave Spiderlabs are actively investigating these bulletins thoroughly, Using the information from Microsoft and other sources to develop protections for our customers against these threats as quickly as we can.