Ready, set, patch! Microsoft releases nine security updates for multiple products

This month's patch load: Nine bulletins, 5 of which are critical, that address 27 vulnerabilities.

Microsoft's August 2012 Security Update just landed. They include:

  • MS12-060 – Office documents vulnerability that is already in the wild
  • MS12-054 – Remote Administration Protocol (RAP) of Windows Networking
  • MS12-058 – Flaw in the Exchange Serve disclosed three weeks ago
  • MS12-052 – New version of IE; third successive month of patching IE, making the browser more secure and the patching process more streamlined
  • MS12-053 – Remote desktop protocol (RDP)

Here's some early analysis from a few patch management specialists:

Wolfgang Kandek, CTO of Qualys:

Taken together, both workstation and server administrators will have their hands full. Five of the Microsoft bulletins are rated "critical" and at least the four first critical bulletins deserve an even higher urgency due to their potential impact on workstations and servers:

• MS12-060 fixes a vulnerability that is already being exploited in the wild. The vulnerability is located in the Windows Common Control and can be triggered through Office documents and through malicious web pages. The currently known attacks have been targeting Word and WordPad through RTF files attached to e-mail messages.

• MS12-054 addresses a flaw in the Remote Administration Protocol (RAP) of Windows Networking, that an attacker can use to spread quickly within enterprise networks. The attacker first needs to gain access to a machine on the network and then needs to share a resource (say a printer) with a specifically crafted name that encodes the exploit for the vulnerability. All Windows machines will periodically query the network for shared resources and automatically execute the exploit code contained in the resource name. The vulnerability allows Remote Code Execution only for Windows XP and 2003; if you are on a current version, you are not affected. Microsoft has a detailed post with more background information on the SRD blog.

• MS12-058 patches the flaw in the Exchange Server disclosed three weeks ago in KB2737111. The popular Outlook Web Access (OWA) Exchange component uses a vulnerable module from Oracle's Outside In product to perform document conversions. An attacker who can lure a user to look at a malicious document through OWA can gain access to the Exchange server at a low privilege level. The attacker would have to combine the exploit with a second exploit, a local privilege escalation to gain full control over the server. Again, Microsoft has more details on the SRD blog.

• MS12-052 is a new version of Internet Explorer (IE) that addresses two critical vulnerabilities. All versions of IE from 6 to 9 are affected. Web browsing is one of the most common attack entry points and this new version should be included in the initial patch rollout. Remember that Microsoft in July implemented an accelerated rollout cycle for IE, so from now on you can expect to get an update for IE every rather than every other month.

• MS12-053 is a fix for a remote desktop protocol (RDP) vulnerability in Windows XP running Terminal Services. This is the third RDP vulnerability this year (MS12-020, MS12-04X) and we are hopeful that most organizations have been cataloging their externally exposed RDP services and will be able to patch this vulnerability as quickly as possible.

Paul Henry, security and forensic analyst, Lumension:

Several reboots affecting all versions of Windows makes August a busy patch month. Microsoft updates include patches to new problems, updates to old problems and something that may cause more work than you may have been anticipating this month.

Prioritizing the Patches

There are nine security bulletins this Patch Tuesday, five critical and four important. Let’s start with the most important one, MS12-60. It affects all platforms of Windows and addresses an ActiveX component that’s redistributed in many places in Windows. It’s an issue that was previously patched and this month’s patch cleans up the previous one. This is a very high priority update because it’s native in Windows and impacts all Windows Platforms.

If you’re running RDP in Windows XP, then MS12-053 is an equally important update. There have been a few updates for RDP from Microsoft lately but it’s especially important you don’t overlook this one. This is a remote code execution issue pre-auth, so no authentication is needed. RDP is not a default setting, but if you are using it, you should install this patch. This only affects Windows XP, but it is a high priority update.

Your second priority should be MS12-052. This critical update is cumulative for Internet Explorer and it fixes four separate critical issues involving remote code execution.  

MS12-054 is another critical update. It is a Windows networking component issue and it should be your third priority for August.

Rounding out this month’s critical patches is MS12-058. This is an exchange issue with the third party product Outside In from Oracle. Oracle had a few RCE vulnerabilities in Outside In, which is licensed by Microsoft for Exchange.

Next up are the bulletins ranked important.

  • MS12-055 is an elevation of privilege issue for Microsoft Windows.
  • MS12-056 is a kill bit update for JavaScript. It’s pretty standard and also cumulative.
  • MS12-057 and MS12-059 are Office updates. They’re important remote code execution issues and fairly standard.

Lastly, we can expect to see a refresh to MS12-043 this month. This is an XML core services update. The previous patch addressed XML 4.0 and the refresh will include XML 5.0. It should be noted that there haven’t been any 5.0 attacks at this point.

Marcus Carey, security researcher at Rapid7:

“MS12-052 is a critical patch for four vulnerabilities in Internet Explorer 6, 7, and 8. This bulletin is a continuation in Microsoft’s monthly Internet Explorer patch cadence. This should be number one on organizations’ and consumers’ “must patch” list.

MS12-053, labeled as critical, patches yet another Remote Desktop Protocol (RDP) vulnerability, though Microsoft states that exploit code would be difficult to build for this bulletin. MS12-054, also labeled as critical, address four vulnerabilities relating to Windows Network Components. Microsoft says that exploit code is unlikely for these vulnerabilities. Both MS12-053 and MS12-054 should be mitigated by traditional perimeter defense measures such as firewalls.

MS12-058 labeled as critical, addresses a vulnerability that was introduced by Oracle Outside In, which is used as part of Exchange. It’s interesting that Microsoft labels this critical, while Oracle listed the vulnerability in their Critical Patch Update with a base score of 2.1, which is very low. After MS12-052, MS12-058 should be an organization's second priority to patch. It appears to be an excellent option for spear phishing attempts since it can compromise the server simply by a legitimate user opening a malicious document using Outlook Web App (OWA). An attacker could then escalate privileges from there.

The last critical bulletin, MS12-060, addresses vulnerabilities in Windows common controls, which are used in a slew of productivity and business related software such as Office and SQL Server. This bulletin could affect both business and consumers. Microsoft is aware of it being used as part of targeted attacks in the wild, which are unlikely to affect consumers; however, business and government organizations should deploy this patch as soon as possible.”

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline