Microsoft released a preview of what it has planned for the May 2012 Patch Tuesday release next week. Expect seven bulletins -- three of them critical -- for some 23 vulnerabilities. Here's some early analysis from several patch management experts.
Paul Henry, security and forensic analyst for Lumension: "The disruptive restarts and the wide range of platforms impacted by this month’s bulletins will have IT teams scrambling to accomplish their flaw remediation tasks. With the workload from Oracle and now the bulletins expected from Microsoft many will unfortunately not get a break for the Memorial Day weekend."
We have 7 bulletins this month; 3 critical and 4 important.
Bulletin 1 Critical - Remote Code Execution May require restart Microsoft Office
Bulletin 2 Critical - Remote Code Execution May require restart Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight, Microsoft Office
Bulletin 3 Critical - Remote Code Execution May require restart Microsoft Windows, Microsoft .NET Framework
Bulletin 4 Important - Remote Code Execution May require restart Microsoft Office
Bulletin 5 Important - Remote Code Execution May require restart Microsoft Office
Bulletin 6 Important - Elevation of Privilege Requires restart Microsoft Windows
Bulletin 7 Important - Elevation of Privilege Requires restart Microsoft Windows
Pending the official release from Microsoft on Tuesday, of greatest concern this Patch Tuesday period are Critical Bulletins 2 and 3, which impact both legacy and current generation operating systems. It’s also interesting to note that with today’s released information regarding Microsoft Active Protections Program (MAPP) (http://blogs.technet.com/b/msrc/), Microsoft has identified a partner that had breached its MAPP NDA and has taken steps to reduce the risk of information disclosure.
Alex Horan, Sr. Product Manager, CORE Security: “It would be dangerous for IT professionals to not take Bulletins 6 and 7 seriously because both bulletins address the issue of Elevation of Privilege, or taking limited control of a system and elevating it into full control. The common misperception is that no attacker will ever gain the initial foothold needed to pull that off. However, in today’s aggressive times, the mature security professional recognizes that compromise is inevitable and containment is key. After all, it is not realistic to think you can contain someone if they have full control of your system.”
Wolfgang Kandek, Qualys CTO: “The bulletins affect all versions of Windows, and Microsoft Office (including for Mac OS X), plus Microsoft Silverlight. The three critical bulletins provide fixes for Microsoft Office, Silverlight and .NET, with Bulletin 2 actually impacting all three products. These bulletins will be highest priority for IT admins, especially Bulletin 1, which has critical rating for Office 2003 and 2007 which we do not see all that often. Bulletin 1 also affects Office for the Macintosh, but is rated only important on that platform.
“Bulletin 4 and 5 cover Microsoft Office as well and while they are ranked only "important" provide fixes for Remote Code Execution (RCE) vulnerabilities. They should be considered high priority as Bulletin 4 affects the free Excel viewer and bulletin 5 the free Visio viewer, giving us a clue as to what file formats contains the weaknesses. If we include this month, Microsoft will have released 35 bulletins this year, roughly on par with last year's 36, but we received them at a much steadier rate fluctuating between 6 and 9 so far. Last year, and in prior years we have seen much stronger differences ranging from 2 to 17. We are not sure this is intended, but it makes the workload much more predictable and is preferable to the more bursty release mode.”
Marcus Carey, security researcher at Rapid7: “The Microsoft Security Bulletin Advance Notification for May 2012 contains 7 bulletins: three rated “critical” and the rest “important.” Just when most organizations and consumers have been fanning the flames of the first quarter, this serves notice that information security is a war and not a battle.
“Bulletin 1 is a critical vulnerability in Microsoft Office. Since this bulletin is categorized as affecting Microsoft Office it's safe to say that this is a underlying issue on how it processes data. The vulnerability will likely be able to be exploited by crafting a malicious file that can be opened by any Microsoft Office applications. This is becoming a recurring theme for organizations and end users because it's primed for phishing attacks. As we’ve learned over the past couple weeks, Mac users need to apply these patches as soon as possible as attackers are targeting them through Microsoft Office vulnerabilities.
“Bulletins 2 and 3 are both rated as critical and affect all of Microsoft’s current operating systems, from Windows XP SP3 to Windows Server 2008. This means that all organizations and the entire user base will be affected by these critical bulletins. Bulletin 2 looks as if it can be exploited by crafting malicious Microsoft Office files, or perhaps crafting a malicious web page that would be processed by the vulnerable software, which is also likely the case with bulletin 3. Both of these critical bulletins would result in remote code execution if compromised.
“Bulletins 4 and 5 are labeled as important, and would result in remote code execution if exploited. Both affect Microsoft Office applications. Labeling these bulletins as important indicates that an attacker will only inherit the permissions of the user. This means if a user is not an administrator, it's a somewhat lower risk. However, if a user has administrator privileges, these types of flaws can have the same impact as a critical rating.
“Bulletins 6 and 7 are elevation-of-privilege vulnerabilities, meaning that a regular user can upgrade their privileges to administrator level with any valid login. An attacker uses privilege escalation exploits to entrench and further infiltrate organizations and consumers. These type of vulnerabilities would be chained to other attack vectors to be effective.”