Your June 2012 Patch Tuesday Update

Microsoft released seven security bulletins — three critical and four Important — addressing approximately 27 vulnerabilities scattered across Windows, Internet Explorer, Dynamics AX, Microsoft Lync, and the .NET Framework. Each Patch Tuesday we run commentary from the various patch management vendors on what’s most important. Here’s what they have to say about the June 2012 patches.

Wolfgang Kandek, CTO of Qualys:

June’s Patch Tuesday comes in with a slight change. Microsoft is holding back the bulletin for Office and replacing it with a bulletin for Microsoft Lync, the enterprise instant messaging offering, also rated important (lync.microsoft.com). The number of advisories stays the same but the number of vulnerabilities addressed goes from 28 to 27.

Initially we also expected to get a new Windows Update client to further harden the Windows Update process , but this has been postponed to start after Patch Tuesday. The new Windows Update client is designed to address one of the security findings brought to light by the Flame malware, a code-signing flaw that allows attackers to sign executables with a key from Microsoft, making malware appear as legitimate software. As an immediate workaround, it is recommended for organizations to install KB2718704 which removes the offending certificates from the local workstation certificate store as soon as possible. Ultimately Microsoft is changing its software distribution process to gain additional robustness, by delivering a new Windows Update client that requires a new and unique code signing certificate and secures the delivery channel with additional restrictions.

Notwithstanding the changed advisory, the highest priority continues to be MS12-037, an advisory for Internet Explorer that fixes 12 vulnerabilities. One of them, CVE-2012-1875 is already being used in limited attacks in the wild, making it urgent to apply the patches for the vulnerability as quickly as possible. Another one of the vulnerabilities addressed is CVE-2012-1876, which was turned over to Microsoft by VUPEN during the PWN2OWN contest, held in early March at CanSecWest in Vancouver. Related to PWN2OWN, Google also released this week a description of the second exploit against Google’s Chrome browser discovered at CanSecWest, which examines how security researcher Sergey Glazunov chained together an impressive 14 vulnerabilities to gain control over the target machine.

Our second highest priority is advisory MS12-036, which fixes two vulnerabilities (one critical) in the Microsoft RDP service, which were discovered internally by Microsoft after further auditing the RDP code during investigations of the MS12-020 advisory. Similar to MS12-020, using NLM to authenticate RDP sessions is a valid work-around, and we recommend looking into configuring NLM as the standard authentication mechanism as a hardening measure.

MS12-038 is the third critical advisory, which covers a .NET weakness in the delivery of the XBAP application through the browser. IE9 is not affected as XBAP, at least in the Internet Zone, and is disabled by default, a great defensive setting.

Marcus Carey, security researcher at Rapid7:

MS12-036 is a critical bulletin that addresses vulnerabilities allowing an attacker remote code execution related to the Windows Remote Desktop Protocol (RDP). This relates to MS12-020, which had organizations on high alert in March after Microsoft issued warnings that the vulnerability could be weaponized to result in widespread attacks. Up to now, MS12-020 has only been exploited as a reliable denial of service attack; however, from what I understand MS12-036 may offer a more reliable attack vector for exploitation. The silver lining is that after MS12-020, many organizations took preventative measures to disable RDP, especially at egress points in their networks. If organizations must run RDP on the Internet, they should test and deploy MS12-020 patches as soon as possible.

MS12-037 is also labeled as critical and affects Internet Explorer 6, 7, 8, and 9. This is a cumulative patch that addresses several vulnerabilities, including those disclosed by VUPEN at CanSecWest’s Pwn2Own hacking competition. MS12-037 should be priority number one for organizations and consumers. We consistently see browsers and their plugins as the primary attack vector for crimeware and advance persistent threats.

MS12-038 is a critical vulnerability that affects Microsoft Windows and the .NET Framework and is the second highest priority after MS12-037 due to its potential to affect organizations . MS12-038 allows an attacker to exploit systems if a user views a specially crafted webpage using a web browser. This could have limited affects if users operate under least privilege; however, we know that least privilege isn’t always enforced in organizations.

If you were paying attention to this month’s advanced notification, Microsoft was supposed to patch important vulnerabilities related to Microsoft Office and Visual Basic with MS12-039. Instead, MS12-039 has been changed to update Microsoft Lync, formerly Microsoft Office Communicator. MS12-039 should only affect enterprise customers, although it is uncertain how large the actual deployment is of Microsoft Lync in enterprises. As a result of this change, organizations should also be on high alert as usual because Microsoft since pulled fixes for Microsoft Office related to Visual Basic. In reality we should always be wary of suspicious documents and attachments.

MS12-040 is related to Microsoft Dynamics AX 2012, which is a Microsoft enterprise resource planning software product. MS12-040 – although labeled as important – will make most organizations yawn because of the limited deployment of the product.

MS12-041 and MS12-042 are important bulletins that affects Microsoft operating systems, and could result in an escalation of privileges if successfully compromised. The MS12-041 vulnerability can be used on all modern Windows operating systems to escalate to administrative privilege level. MS12-042 also mitigates escalation of privilege vulnerabilities, but affects a select number of Windows operating systems not all, which is a bit strange. MS12-041 and MS12-042 has should affect both business and consumers.

Steven Hultquist, senior network security engineer, RedSeal Professional Services:

It’s interesting to see the more high-profile patches in here related to the Flame threat and PWN2OWN. While many researchers will criticize the very existence of such flaws and the ability for them to expose organizations to attack, this kind of turnaround in terms of patching was unheard of only a few years ago. It’s a testament to increased awareness. At the same time I’m frequently reminding customers that the next big attack is likely already in progress and in all probability it leverages some vulnerability that we don’t know about, yet.

Attacks continue to become more sophisticated, and the involvement of major governments, criminal enterprises, and espionage organizations continues to grow, driving this trend faster and further. Cyberattack is one of the most straightforward ways for attackers to accomplish their objectives, whether disruption, theft, or simply to generate loss for the target, clearly. At the same time, we all know that there are fundamental security issues we’re not monitoring closely enough. If networks are properly segmented and defenses are kept up to date, many more attacks can be stopped, patches or no patches. This includes the advanced threats, too. Well managed network security is still the best defense out there. This is hardly a new concept–it’s just harder to manage network security than ever before.