July 2012 Patch Tuesday

Today, Microsoft released nine bulletins addressing 16 vulnerabilities for July’s Patch Tuesday. Of the three bulletins rated critical, the top priority goes to MS12-043 that addresses the MSXML vulnerability, which has been under attack for the last 30 days. Microsoft initially warned about limited targeted attacks against a Heap overflow in KB2719615 during June’s Patch Tuesday. Since then, an exploit for the vulnerability has made it into the Metasploit toolkit and at least into one of the popular ExploitKits called BlackHole. MS12-043 addresses the vulnerability for version 3,4 and 6 of MSXML, while version 5, which corresponds with Office 2003 and Office 2007, will be addressed in the future. Users of Office 2003 or 2007 should look into the newly published workaround in KB2722479, which contains a FixIt that addresses the vulnerability.

By the way, both the current workaround described in KB2719615 and the new one for MSXML in KB2722479 are applied via Microsoft’s in-memory patching technique known as appcompat shims, originally developed for maintaining application compatibility. They are very similar to the final patch and 100% effective, so if you have applied the FixIt, you have bought yourself some additional time for testing and deployment.

Bulletin MS12-044 is an update for Internet Explorer 9 that addresses two critical vulnerabilities. Both can be triggered through a malicious webpage, and both allow the attacker "Remote Code Execution," i.e., full control of the targeted machine. Apply this patch as quickly as possible if you run IE9. The exploitability index is 1, meaning that Microsoft believes that it is easy for attackers to reverse engineer the patch and develop an exploit. What makes MS12-044 more interesting is that it only applies to IE9, a clear sign that security researchers have started to shift their attention to the new version of the browser. It is also the product of an accelerated update cycle that Microsoft has been working on. In the past, Internet Explorer was updated only every two months – that was how long it took to get through all the compatibility testing required for a stable release. Now, Microsoft has streamlined this process to reduce the time needed by 50%.

The third critical bulletin (MS12-045) is an update for the MDAC component. While MDAC is a Windows component, the most likely attack vector is through web browsing, similar to the previous two bulletins.

The rest of the bulletins are rated important and should all be deployed conforming to your normal rollout schedule for that severity, but MS12-046 deserves special attention, primarily if you have machines that are configured for Asian character input. The bulletin addresses a Remote Code Execution vulnerability in Microsoft Office through the IMESHARE.dll, which is used in multi-byte character input. We generally believe that Office vulnerabilities that allow for remote code execution deserve a rating higher than "important". One mitigating factor is that not all Office installations are affected, but only machines that have multi character input are enabled. This vulnerability has seen some attacks already in the Far East and was originally reported by Huawei.

Beyond the normal bulletins, there are two interesting additional security advisories. The first deals with changes to the way certificates are handled – e.g., RSA certificates with fewer than 1024 key length will be considered insecure by default. In addition, Microsoft will publish an enhanced version of a certificate management tool for Windows Vista and above. The tool will allow Microsoft to react more rapidly to certificate problems by streamlining the emission and revocation of certificates overall.

The second advisory provides a tool to disable "Gadgets" in Windows Vista and Windows 7. Support for Gadgets is being discontinued by Microsoft, and from a security standpoint, the recommendation is to turn off Gadget capabilities in Vista and Windows 7. In Windows 8, Gadgets do not exist anymore, but similar functionality is provided by Metro Apps.

This month is also the first time that we will use the new WIndows Update infrastructure that was upgraded and hardened in response to the investigation of the Flame malware, which abused certain aspects of the update mechanism to propagate itself.