Patch management experts analyze Microsoft’s July 2012 security update

Every Patch Tuesday, my inbox fills up with commentary from patch management experts on Microsoft’s latest fixes. Rather than toss them aside, I like to run their analysis as is. With that, here’s the July 2012 breakdown, in which Microsoft released nine bulletins addressing 16 vulnerabilities:

Jason Miller, Manager of Research and Development, VMware

The most important bulletin this month that administrators should look at addressing first and foremost is the Security Bulletin addressing a Zero-Day vulnerability in Microsoft XML Core Services (MS12-043).  During the June 2012 Patch Tuesday, Microsoft released a Security Advisory stating they were aware of active, but limited, attacks against vulnerability in Microsoft XML Core Services.  In the past week, the code for this exploit has been made public, making this patch even more important in terms of severity.  With this vulnerability, a user who browses to a malicious website with Internet Explorer can result in Remote Code Execution.

With the Security Advisory release, Microsoft offered their customers a few workarounds to mitigate the risk of an exploit happening on customer machines.  If you have applied the workaround to disable Active Scripting in Internet Explorer, administrators may want to remove this locked down setting after applying the patches for this bulletin to return functionality to their users.  A second option Microsoft provided to their customers is a FixIt tool that locked down MSXML with the Enhanced Mitigation Experience Toolkit (EMET).  With this scenario, administrators should investigate whether to leave this lock down in place as it should not (in most cases) interfere with their users’ day-to-day browsing functionality.

There is one last note with MS12-043 that administrators should be aware of:  Microsoft XML Core Services 5.0 contains the vulnerability, but a security bulletin has not been published for this version of the software.  Microsoft is still testing the code fix for the vulnerability and will make the patch available when it is ready.  Look for this patch to be available within the next two weeks or in the August 2012 Patch Tuesday.

Outside of MS12-043, there are two other bulletins that administrators will want to turn their focus on.  Both of these bulletins continue the trend of vulnerabilities that can be exploited through web site browsing.  Web browsing attacks through malicious websites is still the most common active attack.

We are seeing for the first time in a long time that Microsoft has gone consecutive months with a Cumulative Security Update for Internet Explorer.  Typically, we can expect an update to Microsoft’s Internet Explorer browser every other month.  Microsoft has released Security Bulletin MS12-044, a patch for Internet Explorer version 9, to address 2 vulnerabilities.  If a user browses to a malicious website with Internet Explorer 9, the attack could result in Remote Code Execution.

Continuing with the browser based attacks this month Microsoft released Security Bulletin MS12-045.  This security bulletin addresses two vulnerabilities with Microsoft Data Access Components (MDAC).  Similar to the previous security bulletins mentioned, navigating to a malicious website with an unpatched system can result in Remote Code Execution.  In addition, a user opening a Microsoft Office document with a malicious embedded ActiveX control can result in Remote Code Execution.

Microsoft also released two new security advisories.  Microsoft Security Advisory 2719662 is showing how Microsoft is assisting administrators on hardening their network.  Windows Vista and Windows 7 both include Windows Gadgets and Windows Sidebar.  Both of these technologies could allow a user to load a malicious plugin.  Microsoft has provided administrators a FixIt tool that disables Windows Gadgets and Windows Sidebar.  It appears Microsoft is taking a more proactive approach to “patching” versus the older their older model of patching.  As I state in all of my monthly webinars, if you do not use a program, remove it from the computer.  This FixIt tool is another example of reducing the vulnerability landscape on computers.

With the other Microsoft Security Advisory (KB2728973), Microsoft released even more updates for their hardening of digital certificate effort.  I will be talking later this week on this subject.

Jim Walter, manager of the McAfee Threat Intelligence Service (MTIS) at McAfee Labs:

“The Internet Explorer update should be highlighted based on ease-of-exploitation for older-versions of the browser,” said Jim Walter, manager of the McAfee Threat Intelligence Service (MTIS) at McAfee Labs. “That being said, the real star of the show is MS12-043 (XML Core Services). This flaw started out as an out-of-band advisory in early June. This particular issue (CVE-2012-1889) is actively being exploited in the wild, and has been for some time.  McAfee is among the Microsoft partners listed as having released protections within 48 hours of the original disclosure of this flaw.  Another interesting inclusions, despite it being rated as ‘Important’ is MS12-051 which affects Microsoft Office for Mac. In May 2012 this privilege escalation flaw (specific to certain builds of Office for Mac) began lighting up on various forums and blogs.”

McAfee recommends that users install Microsoft’s patches as soon as possible. Home users should use Windows Automatic Updates. Microsoft has also included additional mitigations which McAfee Labs recommends all users, whether corporate or home, look closely at.

Business users need to have a risk management strategy in place to prioritize the patches. McAfee provides enterprises with endpoint and network based security technology as well as risk and compliance tools to shield against cyberattacks and allow organizations to patch on their own time.

Marcus Carey, security researcher at Rapid7:

“The Microsoft Security Bulletin Summary for July 2012 contains nine security bulletins addressing 16 CVEs. Three of the bulletins are rated critical and the other six are rated important. All of the critical bulletins address vulnerabilities where a victim could be exploited if they visit malicious web pages, and should serve as a warning that organizations will continue to face client-side browser related attacks.

MS12-043 addresses a vulnerability that is currently being exploited in the wild, and Microsoft predicts that MS12-044 and MS12-045 could also have reliable exploit code available within 30 days. Exploits targeting these vulnerabilities will likely be added to mass malware kits such as the Blackhole Exploit Kit once reliable exploit code is available.

MS12-043 addresses the CVE-2012-1889 vulnerability that is actively being exploited in the wild. Organizations should be aware that this update only patches MSXML versions 3, 4, and 6. All active exploitation has been leveraging attacks against MSXML version 3.  MSXML version 5 will be addressed in a future security update, which means organizations should apply the interim fix provided with Microsoft Knowledge Base Article 2719615 in the meantime (https://support.microsoft.com/kb/2719615).

 MS12-044 is a critical cumulative Security Update for Internet Explorer. This is a critical bulletin that patches vulnerabilities that only affect Internet Explorer version 9. Since Internet Explorer versions 6, 7, and 8 are not affected, it indicates that this is a new vulnerability introduced with the new code base of version 9.

MS12-045 is a critical bulletin that patches vulnerabilities in Microsoft Data Access Components (MDAC). It appears that this vulnerability could be used to compromise any application that leverages MDAC, if the victim visits a malicious URL.

The three critical bulletins should be tested and patched as soon as possible. Of the important bulletins, MS12-046 and MS12-048 should be next on everyone’s “Must Patch” list. MS12-046 and MS12-048 can both exploit victims who navigate to malicious WebDAV or SMB shares and opens malicious files in the malicious directory. These two bulletins are primed for spear phishing attacks.

MS12-046 addresses a DLL Preloading vulnerability related to Visual Basic for Applications [VBA]. There are targeted attacks in the wild that are exploiting this vulnerability. In regards to MS12-048, Microsoft predicts reliable exploit code will be developed within 30 days.

After MS12-046 and MS12-048 businesses can focus on the rest of the bulletins.”

Paul Henry, security and forensic analyst at Lumension:

IT administrators will have to deal with more fireworks this month with Microsoft’s Patch Tuesday. This month there are 9 patches, 3 of which are critical and 6 important. This is more than double last year’s July patches: 4 total, with only 1 critical. This puts Microsoft at 51 bulletins for 2012, about on par with 2011, which saw 56 bulletins at this time last year.

Looking at the bulletins, the first thing that jumps out is they impact the entire family of products, from XP all the way to 2008. This is a strange mix of patches, impacting both legacy and current generation software with critical issues. The suggested orders of priorities are MS12-043, MS12-045 and MS12-044 followed by the balance of the important bulletins released this period.

Critical issues:

• MS12-043 (MSXML) Addresses 1 CVE in XML Core Services that is currently being actively exploited in IE attacks. It is rated as critical because it can provide for remote code execution. The patch is applied across the board for all current Microsoft’s operating systems and may require a restart. It should be noted that in June, Microsoft issued Security Advisory 2719615 that provided a “FixIt” that blocked the IE vector for the related attack.
• MS12-044 (IE) Addresses 2 CVE issues that can provide for remote code execution with Internet Explorer 9. It is rated as critical for both Vista and Windows 7 and will require a restart.
• MS12-045 (MDAC) Addresses 1 CVE issue that is critical for XP, Vista and Windows 7 but is rated only as moderate for Windows 2003 and 2008. It is important to note that while the patch is applied to the operating system, the actual vector for exploitation of the vulnerability is via Internet Explorer.

The remaining bulletins are all rated important and impact a wide range of Microsoft products.

• MS12-046 (VBA) Addresses 1 CVE issue that impacts Microsoft Office for 2003, 2007 and 2010, as well as Visual Basic and may require a restart.
• MS12-047 (KMD) Addresses 2 CVE issues that were not fully addressed with the similar patch released in May 2012.
• MS12-048 (Windows Shell) Addresses 1 CVE issue and while it can provide for remote code execution, it requires a very targeted attack vector according to Microsoft.
• MS12-049 (TLS) Addresses 1 CVE issue that could be used to facilitate a man-in-the-middle (MITM) attack vector against TLS/SSL.
• MS12-050 (Sharepoint) Addresses 6 CVE issues that could provide for an escalation of privilege – most are XXS related.
• MS12-051 (Office for MAC) Addresses 1 CVE issue that could provide for an escalation of privilege.

Security Advisories

Security advisories included in July’s Patch Tuesday include one that adds additional certificates to the untrusted store (effectively revoking them) and an advisory that provides for the disabling of the Windows Vista Sidebar.  This advisory addresses an issue where users can currently install “Gadgets” in Sidebar from untrusted sources. It is important to note that if you disable the Sidebar you effectively disable all installed Gadgets.