Patch Tuesday preview, July 2012

Patch Tuesday is tomorrow. Expect nine security bulletins, three of them for critical vulnerabilities in Windows and Internet Explorer. If Microsoft sticks to plan, the rest will cover “important” security holes in Office, developer tools and server software.

Here’s some analysis from three patch management experts:

Wolfgang Kandek, CTO of Qualys:

Bulletin 1, rated “critical,” affects all versions of Windows, and we expect it to address the XML vulnerability disclosed by Microsoft in June’s Patch Tuesday as KB2719615. This bulletin will be the highest priority for users, at least for those who did not apply Microsoft’s FixIt supplied in the advisory.

Bulletin 2 is for Internet Explorer (IE) and is a bit of a surprise as it breaks the usual cycle of supplying an update for IE every two months. The bulletin only applies to IE9 and is thus limited to Vista and above.

Bulletin 3 is “critical” for all desktop operating systems, XP, Vista and Windows 7; for all others it is rated only “moderate.

Marcus Carey, security researcher at Rapid7:

Many are expecting a patch for CVE-2012-1889: a vulnerability in Microsoft XML Core Services, which is currently being exploited in the wild. Microsoft released a temporary fix for this last month, and hopefully organizations will apply that while Microsoft works on a permanent fix; however, it isn’t clear whether that will be issued in the July Patch Tuesday release. Bulletins 1 and 3 are critical bulletins that could result in full compromise systems without user interaction. These bulletins affect both business and consumer users of all modern versions of Microsoft Operating Systems, so they should be attention-grabbers. Microsoft will surely provide details next week on these two bulletins and users need to pay attention to these and patch as soon as possible. Bulletin 2 relates to a critical browser vulnerability that affects Internet Explorer 9. It doesn’t affect IE9’s predecessors, which means that  it  was introduced in the latest iteration of the browser. If you are running IE9, you should definitely apply this patch now. The rest of the bulletins are listed as important and should be tested and patched if organizations are affected.

Alex Horan, senior product manager, CORE Security:

“The most interesting Bulletins are 1, 3 and 4. For 1 and 3, these are really appealing to an attacker because they are remote code executions of almost every version of Windows. It’s a widely deployed base and the same vulnerability across all those operating systems. You write the exploit once and with tweaks, it can exploit all of them. Bulletin 4 is appealing to an attacker as well because it’s basically every version of Microsoft Office in the last nine years. As an attacker, I would just need to send an email to someone running a vulnerable Microsoft Office system anywhere in the world, get them to interact with something on that email, and I have control of their machine. The attacker does not need to “see” the system they are targeting.  This makes the initial attack easier and a higher-probability.  This initial attack vector in combination with MS Office’s widely deployed installed base, makes this bulletin a very attractive issue for attackers. ”