As expected Oracle released a new version of Java today with 14 fixes for vulnerabilities. Oracle Java 1.6 is now at the update 33 level, while Java 7 is at the update 5 level. In a change from past behavior Apple synchronized their own release of Java with Oracle’s and provides Java for OS X 2012-004 and Java for Mac OS X 10.6 Update 9 in advisory APPLE-SA-2012-06-12-1.
Microsoft today also published Security Advisory 2719615 which describes a vulnerability in XML Core Services that is currently being exploited in the wild. Machines running Windows XP upto Windows 7 are affected by the vulnerability that ican be exploited by a specifically crafted, malicious webpage. The vulnerability was discovered by Google and the Qihoo 360 Security Center.
June’s Patch Tuesday comes in with a slight change. Microsoft is holding back the bulletin for Office and replacing it with a bulletin for Microsoft Lync, the enterprise instant messaging offering, also rated important (lync.microsoft.com). The number of advisories stays the same but the number of vulnerabilities addressed goes from 28 to 26.
Initially we also expected to get a new Windows Update client to further harden the Windows Update process , but this has been postponed to start after Patch Tuesday. The new Windows Update client is designed to address one of the security findings brought to light by the Flame malware, a code-signing flaw that allows attackers to sign executables with a key from Microsoft, making malware appear as legitimate software. As an immediate workaround, it is recommended for organizations to install KB2718704 which removes the offending certificates from the local workstation certificate store as soon as possible. Ultimately Microsoft is changing its software distribution process to gain additional robustness, by delivering a new Windows Update client that requires a new and unique code signing certificate and secures the delivery channel with additional restrictions.
Notwithstanding the changed advisory, the highest priority continues to be MS12-037, an advisory for Internet Explorer that fixes 12 vulnerabilities. One of them, CVE-2012-1875 is already being used in limited attacks in the wild, making it urgent to apply the patches for the vulnerability as quickly as possible. Another one of the vulnerabilities addressed is CVE-2012-1876, which was turned over to Microsoft by VUPEN during the PWN2OWN contest, held in early March at CanSecWest in Vancouver. Related to PWN2OWN, Google also released this week a description of the second exploit against Google’s Chrome browser discovered at CanSecWest, which examines how security researcher Sergey Glazunov chained together an impressive 14 vulnerabilities to gain control over the target machine.
Our second highest priority is advisory MS12-036, which fixes two vulnerabilities (one critical) in the Microsoft RDP service, which were discovered internally by Microsoft after further auditing the RDP code during investigations of the MS12-020 advisory. Similar to MS12-020, using NLM to authenticate RDP sessions is a valid work-around, and we recommend looking into configuring NLM as the standard authentication mechanism as a hardening measure.
MS12-038 is the third critical advisory, which covers a .NET weakness in the delivery of the XBAP application through the browser. IE9 is not affected as XBAP, at least in the Internet Zone, as it is disabled by default, a great defensive setting. XBAP also gained additional warnings in the older IE browsers with the release of MS11-044 last year.
Operating System level hardening also helps against one of the other vulnerabilities, MS12-039 that has a DLL pre-loading vulnerability. The recommended configuration setting (KB2264107 from June 2010) of changing the DLL search path constitutes a valid work-around and would prevent machines from falling prey to an attack using this mechanism.
Other vendors are also releasing important patches. Last Friday, Adobe published a new version of its Flash player that addressed six vulnerabilities and introduced several new security mechanisms: Sandboxing in Firefox, automatic updating for Mac OS X, and developer ID signing in preparation for the coming roll-out of the Mac OS X 10.8 Mountain Lion and its Gatekeeper component. Today, Oracle is also coming out with a new version of its Java programming language, and we recommend implementing this update as soon as possible, as attackers have been increasingly using Java security flaws for malware distribution.
By the way, if you are interested in the technical underpinnings of the Flame malware, the very sophisticated attack on the code signing certificate, including an estimate on the amount of work necessary to achieve a successful exploit take a look at this paper from Alexander Sotirov, one of the original implementors of a similar attack against a CA in 2008.