Great explanation and technical detail on how to exploit MS12-052 through use-after-free with heapspray by Derek Soeder.
On this month’s Patch Tuesday, Microsoft released nine bulletins addressing a total of 26 vulnerabilities. In addition, Adobe also released new versions of its Adobe Acrobat and Adobe Reader(APSB12-16), Shockwave (APSB12-17) and Flash (APSB12-18) products. Taken together, both workstation and server administrators will have their hands full.
All of the Adobe bulletins and five of the Microsoft bulletins are rated "critical" and at least the first four in our list deserve an even higher urgency due to their potential impact on workstations and servers:
- MS12-060 fixes a vulnerability that is already being exploited in the wild. The vulnerability is located in the Windows Common Control and can be triggered through Office documents and through malicious web pages. The currently known attacks have been targeting Word and WordPad through RTF files attached to e-mail messages.
- APSB12-18 is a fix for a single vulnerability in the Adobe Flash Player. According to Adobe the vulnerability is currently being used in targeted attacks. The known attack vector is a Word document with an embedded ActiveX Flash object.
- MS12-054 addresses a flaw in the Remote Administration Protocol (RAP) of Windows Networking, that an attacker can use to spread quickly within enterprise networks. The attacker first needs to gain access to a machine on the network and then needs to share a resource (say a printer) with a specifically crafted name that encodes the exploit for the vulnerability. All Windows machines will periodically query the network for shared resources and automatically execute the exploit code contained in the resource name. The vulnerability allows Remote Code Execution only for Windows XP and 2003; if you are on a current version, you are not affected. Microsoft published a detailed post with more background information on the SRD blog.
- MS12-058 patches the flaw in the Exchange Server disclosed three weeks ago in KB2737111. The popular Outlook Web Access (OWA) Exchange component uses a vulnerable module from Oracle’s Outside In product to perform document conversions. An attacker who can lure a user to look at a malicious document through OWA can gain access to the Exchange server at a low privilege level. The attacker would have to combine the exploit with a second exploit, a local privilege escalation to gain full control over the server. Again, Microsoft published more details on the SRD blog.
- MS12-052 is a new version of Internet Explorer (IE) that addresses two critical vulnerabilities. All versions of IE from 6 to 9 are affected. Web browsing is one of the most common attack entry points and this new version should be included in the initial patch rollout. Remember that Microsoft in July implemented an accelerated rollout cycle for IE, so from now on you can expect to get an update for IE every rather than every other month.
- MS12-053 is a fix for a remote desktop protocol (RDP) vulnerability in Windows XP running Terminal Services. This is the third RDP vulnerability this year (MS12-020, MS12-04X) and we are hopeful that most organizations have been cataloging their externally exposed RDP services and will be able to patch this vulnerability as quickly as possible.
These five vulnerabilities together with the Adobe updates should be on your priority list of updates to evaluate and install where applicable. Also don’t forget that the vulnerable Oracle Outside In is used in other industry software packages; that will have to be patched eventually. For a list of software known to contain Outside In see the list at US CERT.
For a more technical background on the Adobe Reader vulnerabilities, take a look at the blog post by Mateusz Jurczyk and Gynvael Coldwind.