December 2012 Patch Tuesday

Today is the last Patch Tuesday of 2012. Its seven bulletins bring the total count for the year to 83, significantly down from last year’s 100 bulletins and even more from the 2010 count, which ended at 106 bulletins. Maybe even more important than the raw numbers is the more regular release rhythm that Microsoft set this year. We see this as a clear sign of a more mature process. Compare the relative smoothness of this year’s releases (blue line) to the two years before (red and green) and you can see where we are coming from:

Back to the December Bulletins: Five of this month’s bulletins are rated as critical by Microsoft, meaning that the addressed vulnerabilities can be used by an attacker to gain complete control over the targeted machine. Of the five, we think that MS12-079, a bulletin for Microsoft Word, is the most important. The attack can be accomplished through e-mail using a flaw in the Rich Text Format (RTF). An attacker can gain control of a computer without end user interaction because Microsoft Outlook automatically displays the malicious text in the Preview Pane. A potential work-around is to manually configure the preview pane in Outlook’s Trust Center to use plain text only, but one loses a significant amount of functionality that way. A close second in priority is the Internet Explorer bulletin MS12-077, which addresses vulnerabilities in Internet Explorer 9 and 10, the newest versions of IE that run under Vista, Windows 7 and Windows 8. Here, an attacker would have to lure the attack target to browse to a malicious webpage. This is a tad harder than sending the target a simple e-mail, another common attack method.

MS12-081 fixes a vulnerability in Windows Explorer and is triggered through a malicious Unicode filename. The attacker would have to control an SMB or WebDAV fileserver that the target accesses in order to exploit the vulnerability. A good mitigation for these types of attacks would be firewall SMB filesharing and WebDAV on the outbound firewall or proxy to restrict the use of these protocols to the internal network and limit their use on the Internet.

MS12-080 is this month’s only server side bulletin and it addresses a vulnerability in Microsoft Exchange and Sharepoint that stems from the inclusion of the Oracle Outside In file conversion software. IT admins should treat this bulletin the same way that they treated MS12-058 in August 2012 which had the exact same root cause, i.e. Oracle’s release of a new version of Outside In in their quarterly Critical Patch Update.

Please note that KB2755801 was updated, which shows that Microsoft embedded a new version of Flash in Internet Explorer 10. If you are not on IE10 yet and have Flash installed, you should take a look at Adobe’s Product Security Incident Response Team (PSIRT) site to apply the update yourself, which addresses three critical vulnerabilities.

Microsoft has also published a new whitepaper on defensive techniques against "Pass the Hash" attacks. "Pass the Hash" is a technique used by attackers after the initial exploit, in which they use the stored password hashes to gain access to other machines in the local network. It is an interesting read and offers plenty of configuration advice to help defend against this popular exploitation technique. The whitepaper is recommended reading over the holidays!