Your May 2012 patch update from Microsoft

Microsoft has just released seven bulletins — three critical and four important — addressing 23 vulnerabilities, as part of its monthly Patch Tuesday rollout. Each month we gather up the early analysis from patch management experts. Here’s what they’re saying this month.

Wolfgang Kandek, Qualys CTO:

“MS12-029 is the bulletin that should be highest on the list for most organizations, as it can be used to gain control of an end-user’s machine without requiring user interaction. The bulletin provides a patch for a vulnerability in the RTF file format that can be exploited through Microsoft Office 2003 and 2007. It is rated critical because simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit.

“MS12-034 — addressing 10 vulnerabilities — is the second critical bulletin, and it applies to the broadest selection of Microsoft software this month. Here’s some background to help to understand why: In December of 2011 Microsoft issued bulletin MS11-087, which patched a vulnerability in the TrueType Font handling in win32k.sys DLL that had actively been exploited by the Duqu malware.

“After the fix was delivered, Microsoft’s internal security team started an effort to identify further occurrences of the vulnerable code in Microsoft’s other software packages and found multiple products that contained the flawed code.

“MS12-034 now provides the patches necessary to address these “Sons of Duqu,” together with a number of other security fixes (9 CVEs) that were bundled into the same files. See Microsoft’s SRD blog for a good summary. MS12-035 is the third critical bulletin and addresses a flaw in XBAP, a Microsoft browser based application delivery format. It is probably the least urgent bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the Intranet zone of the target. Since June 2011, with the MS11-044 bulletin, Windows has changed its behavior from simply running an XBAP application to asking the user (via a popup window) whether it is ok to execute the application, which provides an additional layer of security. However, similar to our recommendation for Java, we advise users to completely disable XBAP to improve the overall robustness of your installation. MS12-030 for Excel and MS12-031for Visio. Both are file-format vulnerabilities that allow an attacker to take control over the targeted machine if its user opens a specifically crafted file. As we have seen in some of the last year’s data breaches, this lowers the success rate only slightly as attackers are capable of drafting a convincing e-mail that can trick a percentage of the e-mails recipients into opening such a file.”

“Of the remaining four important bulletins, we recommend focusing on 

Joseph Chen, engineering director, Security Technology and Response, Symantec:

“The remote code-execution vulnerability used against Microsoft Office, Windows and .NET Framework tie back to the TTF vulnerability used by Duqu,” said Joseph Chen, Engineering Director, Security Technology and Response, Symantec. “We recently found a new Duqu sample showing that the threat is still active. Microsoft has provided some further patching, in addition to the already issued patch for the used vulnerability at the end of 2011.

“We also see a much larger patch of vulnerabilities affecting Microsoft Excel,” Chen added. “The patches are rated important rather than critical because you still get a prompt to download or open the malicious content rather than it infecting automatically, but it could still be used as a targeted attack.

“The .NET vulnerabilities are also prominent in this month’s patches,” Chen concluded. “Exploits for this vulnerability are likely to be hosted as drive-by downloads on maliciously created or otherwise compromised websites. So, as always we strongly advise avoiding sites of unknown or questionable integrity, to protect from attacks seeking to use these security holes.”

RedSeal Networks CTO Dr. Mike Lloyd:

“Experienced security teams realize that they can’t afford for each successive Patch Tuesday to be a panic.  Every round tends to include critical notifications, including risk of remote code execution – seven in this batch.  Mature teams look to get ahead of the curve, knowing these things are coming. 

Getting proactive requires planning for survivability by making sure your defenses are in shape before the latest disclosure.  BYOD is the same kind of pressure. You know your users are going to walk in and out of your building with all kinds of vulnerabilities, known and unknown.  The right response is segmentation – keep some controls between the dangerous endpoints and the critical resources.”