The head of Trustwave SpiderLabs Nicholas Percoco has had an unusual goal this year of drinking a different beer every day for the entire year. Considering his travel schedule and the number of times he has been stranded in airports around the world coming up with a new beer every single day has been quite the accomplishment. He has been checking them in on Untappd and the list is pretty impressive. From fairly regular beers such as Miller Light (Mar 17) to the fairly esoteric Trappistes Rochefort 10 (Oct 14) the varieties of beers he has drunk almost rivals the varieties of vulnerabilities we have seen in Microsoft’s products this year.
This last Patch Tuesday of the year makes it a total of eighty-three different bulletins for 2012. That only comes out to about one bulletin for every four days or so, which isn’t the same as a beer per day but at least there were seventeen fewer bulletins this year than there were in 2011. However, while some beers have higher alcohol content than others some bulletins are more severe than others. This year, even though there are fewer overall bulletins, more of those bulletins were rated as critical. There were thirty-five critical bulletins this year versus thirty-four critical bulletins last year. So while the overall number of vulnerabilities seems to be decreasing the percentage of those that are really bad seems to be increasing.
So grab a bottle of your favorite beer, perhaps a bottle of Cipher (Feb 17) from Half Acre Brewing, and lets go through the bulletins for December, the last Patch Tuesday of the year 2012.
Remote Code Execution in Internet Explorer
CVE-2012-4781 CVE-2012-4782 CVE-2012-4787
We love IE bugs, so common, been around forever and yet still so delicious at the same time, almost just like a Guinness Draught (Feb 21). This patch is rated critical for Internet Explorer 9 and 10 on desktops but only rated moderate for IE 9 and 10 on server platforms. As usual all it takes is specially crafted web page, in all three cases one that accesses objects in memory after they have been deleted, or a ‘use after free’ vulnerability. This might result in memory corruption, which could be used to run arbitrary code as the current user.
Remote Code Execution in Kernel-Mode Drivers
You never think that a standard IPA is going to kick your ass just like you don’t think of fonts as a security risk. Then there is 120 Minute IPA (Jan 31) from Dogfish Head Craft Brewery with its 18% ABV and it hits you just like a True Type or Open Type Font Parsing Vulnerability. With a specially crafted web page or word document that embeds a malicious font file an attacker could execute arbitrary code. Once you have the ability to run arbitrary code its pretty much game over, an attacker can install programs, delete data, or create new accounts. All that from a bad font file or a 120 Minute IPA.
Remote Code Execution in Microsoft Word
While Microsoft has not yet seen this one being exploited in the wild they do expect exploited code to show soon. This one has to do with how MS Word parses RTF files and again, could result in remote code execution. The problem is present in Word 2003, 2007, 2010 and even MS Word Viewer. Users of Outlook 2007 and Outlook 2010 should also take note as MS Word is set as the default email reader for those email clients. Considering the rise in recent spear phishing attacks you should not get to comfortable while drinking your Hipster Ale (Nov 10) and instead should apply this patch.
Remote Code Execution in MS Exchange Server
CVE-2012-3214 CVE-2012-3217 CVE-2012-4791
Ubiquitous (Nov 23) from Pipeworks Brewing could be used to describe Microsoft Exchange Server as it is one of the most common email servers on the Internet. It is everywhere. We mentioned last week that you might want to go ahead and schedule a reboot time for your Exchange server so you can apply this update right away. The problem here isn’t actually in Exchange but in the Outside-In Libraries provided by Oracle, which is an area that seems to be getting a lot of attention in the last few months. Oracle patched these vulnerabilities in their Critical Patch Update in October. CVE-2012-3214 and CVE-2012-3217 are the two vulnerabilities in the Oracle Libraries but there is third CVE fixed in this update CVE-2012-4791 which can result in a DoS if Exchange Server improperly handles an RSS feed. The DoS could cause the Exchange Database to unmount and lead to corruption of databases affecting user mailboxes. Depending on your boss losing their email might be worse than RCE, so install the patch and reboot the mail server as soon as you can, then go grab your beer.
Remote Code Execution in Windows File Handling
This vulnerability could allow remote code execution if a user browsed to a folder that contains a file or subfolder with a specially crafted name and it impacts pretty much everything from XP SP3 to Server 2008 R2. And of course ‘browse to a folder’ can be accomplished with an email attachment if the attacker can get the receiver to open it. If you are still running older version of the OS Microsoft thinks this vulnerability will be pretty easy to exploit. Even easier than finding a Christmas Ale (Nov 21) at Christmas time.
Remote Code Execution in DirectPlay
DirectPlay is an old API that was part of the DirectX API used as a network communication library intended for game development but usually used for other stuff. This component is present in all versions of DirectX from 9.0 in XP through 11.1 in Windows 8 and Server 2012. If an attacker can successfully convince a user to view a specially crafted Office document with embedded content they could gain the same user rights as the current user and execute arbitrary code. Exploit code this looks rather unlikely, which is probably why this is rated as only Important and not Critical. Just because it isn’t Critical doesn’t man that it doesn’t count, just like Bulmers Irish Cider (Oct 23) still counts as beer.
Security Feature Bypass in IP-HTTPS
No one really knows what the three hundred and sixty sixth beer (It’s a Leap year!) that Nicholas will have this year will be. Perhaps he doesn’t even know. I have to wonder how you even find that many different beers? But when you brew your own beer, like Getcha Through it Holiday Ale (Nov 19) I suppose you are not limited buy commercial availability. One thing we do know is that the last bulletin released by Microsoft for 2012 will be a problem with revoked certificates. If an attacker presents a revoked certificate to an IP-HTTPS server commonly used in Microsoft DirectAccess deployments they could bypass security features. To exploit the vulnerability, an attacker must use a certificate issued from the domain for IP-HTTPS server authentication. One way of mitigating this flaw is to disable the domain computer accounts associated with revoked client certificates.
And that’s it for all the Microsoft security bulletins for two thousand twelve. We will all raise our beer in hopes that there are even fewer of them next year. In a few days we will also find out which beer Nicholas decides will be his last one for the year and if he will decide to do it again next year!