May 2012 Microsoft Super Tuesday
Posted by Shane Garrett on May 08, 2012 at 2:29 PM EDT.
The May security update from Microsoft is a large one. There are seven bulletins covering 23 CVEs. Three of the bulletins are rated Critical and should be applied immediately. There were also a number of addressed vulnerabilities that were listed as publicly disclosed. Here is closer look at the critical bulletins and the vulnerabilities they address.
- MS12-034 : Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
This bulletin is a doozie. Ten vulnerabilities are addressed in this update, three of which are listed as publicly disclosed. The updates touch many parts of the operating system. This includes vulnerabilities in the kernel such s TrueType font parsing and GDI+ parsing via EMF files as well as user mode vulnerabilities in .NET/Silverlight and others.
Regarding the vulnerabilities marked as publicly disclosed, only CVE-2011-3402 could result in remote code execution. CVE-2011-3402 was the TTF vulnerability used by the Duqu malware for escalation of privilege, however the vectors used by the malware were already patched as part of MS11-087. CVE-2012-0164 is a vulnerability in .NET that causes a DoS. CVE-2012-0181 is a vulnerability in the kernel code responsible for handling keyboard layouts. Vulnerabilities in this keyboard layout area of the operating system have been successfully used by malware such as Stuxnet for escalation of privilege.
Many of the vulnerabilities addressed in this update can be leveraged for remote code execution. Two of the vulnerabilities are in the kernel code responsible for parsing TrueType fonts. These types of vulnerabilities are nasty because this code runs in the kernel and malicious fonts can be embedded in web pages as well as Office documents. Two of the .NET/Silverlight vulnerabilites can be leveraged for remote code execution by being hosted on a web page. Both GDI+ vulnerabilities can be exploited via specially crafted EMF files which can be embedded in Microsoft Office documents and sent as attachments.
- MS12-035 : Vulnerabilities in .NET Framework Could Allow Remote Code Execution
Two more vulnerabilities in .NET are addressed in this bulletin, both privately reported. These are separate vulnerabilities, but each involve problems in code responsible for serializing/deserializing data from/into an object. Exploitation via specially crafted .NET code can result in arbitrary code execution in the context of the current user.
- MS12-029 : Vulnerability in Microsoft Word Could Allow Remote Code Execution
A single vulnerability in Microsoft Office's RTF parser is addressed in this update. This vulnerability can be exploited for remote code execution in the context of the current user. The RTF parser is shared among Office components so vulnerabilities in the parser can be exploited via an email in Outlook rendered as RTF as well as document attachments.