Microsoft released seven bulletins in Windows, Office and SQL Server today as part of its monthly update cycle. It recommends customers pay special attention to MS12-064, which addresses a security hole in Word.
Here's what two patch management experts have to say about today's patch bundle:
Wolfgang Kandek, CTO, and Amol Sarwate, director of vulnerability research, Qualys:
MS12-064 is the only bulletin rated "critical". It fixes two vulnerabilities in Microsoft Word and applies to all versions of Microsoft Office. It addresses a vulnerability that can be exploited via a malicious RTF formatted e-mail through the Outlook Preview pane without having to open the e-mail. Since the development complexity of an attack against this vulnerability is low, we believe this vulnerability will be the first to have an exploit developed and recommend applying the MS12-064 update as quickly as possible.
All other bulletins are rated as important and apply to a wide variety of software ranging from Windows to Sharepoint to SQL Server, and include:
- MS12-069 is a bulletin that applies to Windows 7 and Windows 2008 R2 and addresses a DoS style vulnerability where a specifically malformed Kerberos packet can crash the target machine.
- MS12-066 addresses an XSS vulnerability in Microsoft's SafeHTML library that is in use in a number of products, including Microsoft Sharepoint and LYNC, Microsoft's IM client.
- MS12-067 is another instance of a vulnerability introduced by the Oracle Outside-In library. Oracle addressed a number of critical vulnerabilities in that library in its last CPU in June 2012, and now all software vendors that had embedded a version of this vulnerable library need to provide updates to their products. This instance is a non-default, paid add-on to Sharepoint that provides document indexing capabilities. An organization could be exploited if the add-on is installed and if an attacker is able to upload a malicious file into a Sharepoint server.
- MS12-070 fixes an XSS vulnerability in one of the reporting modules of Microsoft SQL Server. An attacker could use it to gain information about the SQL Server installation and would have to convince an SQL server administrator to click on a link that contains the malicious XSS code.
Marcus Carey, Rapid7:
MS12-064, rated at critical, affects Microsoft Word and would allow an attacker to send a malicious file which, when opened or previewed, would fully compromise the victim's system. Organizations and consumers should apply this patch as soon as possible. This is the type of exploit that we have seen being used as a part of spear phishing attacks.
MS12-067 is an important bulletin which could be a concern for organizations running Microsoft FAST Search Server 2010 for SharePoint. FAST is Microsoft's search engine for SharePoint intranet content, and exploitation of MS12-067 would result in remote code execution. Microsoft has already patched 13 vulnerabilities related to FAST.
The interesting thing about this vulnerability is that the vulnerable component is Oracle's Outside In file format conversion library. This library is heavily used in the enterprise application space and is embedded into many file search and indexing applications, including mobile gateways such as Blackberry Enterprise Server. I would expect to see a rash of related security updates become available for all enterprise products using this library. Oddly enough, even though the July bulletin included an update for Exchange 2007 and 2010 for Outside In flaws, the October one does not, which may point to an upcoming patch for Exchange server, or something specific about the issues identified in this bulletin that excludes Exchange as a potential target.
MS12-070 is an XSS vulnerability that could affect Microsoft's SQL Server, although it affects the web interface, not the actual database server itself. However, successful exploitation of MS12-070 would result in an escalation of privileges.
MS12-066 is another important bulletin that affects a wide range of web-based collaboration products, including SharePoint, Groove, and InfoPath, as well as the hosted version of Microsoft Office. This flaw allows privilege escalation through an XSS vulnerability and organizations with untrusted users of these products should prioritize this patch.
Also note that Microsoft updated KB2758994 yesterday, indicating that an update is now available for Windows 8 and Windows 2012 Server that fixes a known vulnerability in the Adobe Flash Player plugin.
MS12-069, although only a Denial of Service, should also be prioritized, as it may allow an unauthenticated attacker on the local network to take down Kerberos services on a Windows domain controller. A repeated attack against an organization's domain controllers could have a major impact of the functioning of the business.
The remaining bulletins should be triaged, tested, and applied as soon as possible.