Microsoft released seven security bulletins Tuesday to address vulnerabilities in Internet Explorer and Word. This Patch Tuesday brings the total count for the year to 83 bulletins, down from last year’s 100 and the 117 bulletins of 2010.
Here's some of the raw analysis I've received this afternoon from two patch management experts.
Wolfgang Kandek, CTO of Qualys:
Today is the last Patch Tuesday of 2012. Its seven bulletins bring the total count for the year to 83, significantly down from last year’s 100 bulletins and even more from the 2010 count, which ended at 117 bulletins. Maybe even more important than the raw numbers is the more regular release rhythm that Microsoft set this year. We see this as a clear sign of a more mature process.
Back to the December Bulletins: Five of this month’s bulletins are rated as critical by Microsoft, meaning that the addressed vulnerabilities can be used by an attacker to gain complete control over the targeted machine. Of the five, we think that MS12-079, a bulletin for Microsoft Word is the most important. The attack can be accomplished through e-mail using a flaw in the Rich Text Format (RTF). An attacker can gain control of a computer without end user interaction because Microsoft Outlook automatically displays the malicious text in the Preview Pane. A potential work-around is to manually configure the preview pane in OutLook’s Trust Center to use plain text only, but one loses a significant amount of functionality that way. A close second in priority is the Internet Explorer bulletin MS12-077, which addresses vulnerabilities in Internet Explorer 9 and 10, the newest versions of IE that run under Vista, Windows 7 and Windows 8. Here, an attacker would have to lure the attack target to browse to a malicious webpage. This is a tad harder than sending the target a simple e-mail, another common attack method.MS12-087 fixes a vulnerability in Windows Explorer and is triggered through a malicious Unicode filename. The attacker would have to control an SMB or WebDAV fileserver that the target accesses in order to exploit the vulnerability. A good mitigation for these types of attacks would be firewall SMB filesharing and WebDAV on the outbound firewall or proxy to restrict the use of these protocols to the internal network and limit their use on the Internet.
Paul Henry, security and forensic analyst for Lumension:
IT has 7 patches to deal with in December, 5 are critical and 2 are important. Fortunately, none are currently under active attack so that will hopefully set IT’s mind at ease as they begin to apply this set of patches.
2012 in Review
With the multitude of third-party application patching needed this year from the likes of Adobe, Java and even Apple, you likely didn’t notice Microsoft put out fewer patches in 2011 – 20% less in fact. In 2011, Microsoft Patch Tuesday released 100 bulletins for the calendar year, of which 34 were critical, 63 important and 3 moderate. In 2012, they reduced the number of bulletins to 83 for the year, of which 35 were critical, 46 important and 2 moderate. It’s great to see that Microsoft’s Secure Coding Initiative is paying off, reducing the number of vulnerabilities in their software, resulting in an easier time for IT at Patch Tuesday time.
A look back over the last couple of years proves interesting. In 2011, January had 2 bulletins, while February had 12. March then went back down to 3, but April went up to 17. May had 2 and June went back up to 16. In contrast, January of this year had 7 patches, February had 9, then 6 in both March and April, and 7 in both May and June. In fact, only one month – September, at 3 – was lower than 6 or higher than 9. The degree of consistency makes it easier for IT to plan out the time and effort they’ll need to spend on Patch Tuesday each month.
December Patch Priority
The most important bulletin this month is MS12-077, affecting IE 9 and IE 10. It’s a critical severity rating. These are use-after-free issues. They affect only components that were introduced in IE9, which is interesting, because it means that it affects IE 9 and IE 10 and the downlevel platforms don’t really have the components. Microsoft has done some defense in depth hardening for those platforms to address these issues. However, because those platforms don’t have the affected components, they were not given a severity ranking.
The next priority is MS12-079, which is a Microsoft Word remote code execution vulnerability. While typical Word vulnerabilities are ranked important, this is ranked critical. Similar to a bulletin issued a few months ago, there’s an issue with RTF formatted data that can be parsed in the Outlook Preview Pane, executing the vulnerability. Because of that parsing, this will be very important to apply quickly.
Next, MS12-081 is a kernel mode drivers’ issue, ranked critical. Similar to a bulletin last month, this affects True Type and Open Type parsing. However, because executing on this vulnerability would be time consuming and difficult, this is less important than the Word and IE issues.
MS12-080 an Exchange vulnerability involving a remote code execution. A few months ago, Microsoft addressed Oracle Outside In vulnerabilities for the first time. This is a similar update addressing the recent Oracle update to Outside In. There’s never been an active attack on this, but it’s an important component, so it’s good to see Microsoft performing their due diligence here.
Then we have MS12-078, a remote code execution issue in the Windows file handling component, affecting Windows XP through Windows 7. Fortunately, Windows 8 is not affected here. Essentially, when Windows Explorer parses a file name, it hits this vulnerability.
MS12-082 affects a vulnerability in Direct Play, affecting all versions of Windows from XP through Windows 8. As we said last month, Windows 8 is unfortunately not perfect, security-wise, and we can expect updates for that operating system to become more common in 2013. If you use Direct Play to parse content in Office documents or things embedded in Office documents, this vulnerability will come into play. The Office documents will act as a vector, but it is a Windows level vulnerability.
Finally, MS12-083 is a vulnerability in IP HTTPS, which is a component in Direct Access. Direct Access is a common VPN authentication solution that checks corporate credentials when you log in to ensure they have not been revoked or expired. Essentially, this is a bug that doesn’t honor the revocation of time stamp, as you might see for corporate credentials after an employee leaves a company. This vulnerability would allow someone with a revoked certificate to log in and access corporate assets. This is ranked important if you use Direct Access.