May Patch Tuesday 2012

This month, Microsoft released seven bulletins, three critical and four important, that addressed a total of 23 vulnerabilities. MS12-029 is the bulletin that should be highest on the list for most organizations, as it can be used to gain control of an end-user’s machine without requiring user interaction. The bulletin provides a patch for a vulnerability in the RTF file format that can be exploited through Microsoft Office 2003 and 2007. It is rated critical because simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit.

MS12-034 — addressing 10 vulnerabilities — is the second critical bulletin, and it applies to the broadest selection of Microsoft software this month. Here’s some background to help to understand why: In December of 2011 Microsoft issued bulletin MS11-087, which patched a vulnerability in the TrueType Font handling in win32k.sys DLL that had actively been exploited by the Duqu malware. After the fix was delivered, Microsoft’s internal security team started an effort to identify further occurrences of the vulnerable code in Microsoft’s other software packages and found multiple products that contained the flawed code. MS12-034 now provides the patches necessary to address these "Sons of Duqu vulnerabilities," together with a number of other security fixes (9 CVEs) that were bundled into the same files. Please note that we are not aware of any malware currently exploiting this issue. See Microsoft’s SRD blog for a good summary of their internal engineering process.

MS12-035 is the third critical bulletin and addresses a flaw in XBAP, a Microsoft browser based application delivery format. It is probably the least urgent bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the Intranet zone of the target. Since June 2011, with the MS11-044 bulletin, Windows has changed its behavior from simply running an XBAP application to asking the user (via a popup window) whether it is ok to execute the application, which provides an additional layer of security. However, similar to our recommendation for Java, we advise users to completely disable XBAP to improve the overall robustness of your installation.

Of the remaining four important bulletins, we recommend focusing on MS12-030 for Excel and MS12-031 for Visio. Both are file-format vulnerabilities that allow an attacker to take control over the targeted machine if its user opens a specifically crafted file. As we have seen in some of the last year’s data breaches, this lowers the success rate only slightly as attackers are capable of drafting a convincing e-mail that can trick a percentage of the e-mails recipients into opening such a file.

Adobe also released its monthly patches today, addressing five vulnerabilities in its Shockwave player. Three of the vulnerabilities were discovered by Rodrigo Branco, Qualys' Director of Vulnerability and Malware Research. You can find the detailed advisories published at http://www.qualys.com/research/security-advisories/. If you have any questions about the Adobe patches, you can discuss the advisories at community.qualys.com, which Rodrigo will be actively monitoring, or simply drop him an e-mail at rbranco@qualys.com