August 2012 Microsoft Super Tuesday
Posted by Shane Garrett on August 14, 2012 at 2:24 PM EDT.
Two of the bulletins addressed this month by Microsoft are remote code exploitation attacks that have either seen active exploitation (MSCOMCTL) or have public proof of concepts available (Exchange). In addition to these two bulletins we've also given a summary of the other bulletins rated Critical.
- MS12-060 : Vulnerability in Windows Common Controls Could Allow Remote Code Execution
Another bug in the Microsoft Common Control library (MSCOMCTL) that can be leveraged for remote code execution was addressed in this update. Earlier in April of this year, Microsoft released MS12-027 which addressed a similar problem in the same library. Both this vulnerability and the previous one have seen active exploitation. Since MSCOMCTL is a COM/ActiveX control, it can be embedded in web pages or common document formats such as DOC, XLS or RTF. Due to the active exploitation of this vulnerability and the large attack surface, it should be patched immediately.
- MS12-058 : Vulnerability in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution
This bulletin addresses a number of remote code execution vulnerabilities that affect Microsoft Exchange. These are due to the Outlook Web App's (OWA) WebReady Document Viewing feature which uses Oracle's Outside-In technology to render some types of file formats. An attacker could email a malicious file to a victim who then views it over OWA. This could lead to attacker supplied code running on the server in the context of the Local System account. These issues were originally fixed in Oracle's July 2012 Critical Update and are now being updated in Exchange. More specifically, these vulnerabilities were in the code responsible for parsing the .VSD, .WSD, .JP2, .DOC, .SXD, .LWP, .PCX, .SXI, .DPT, .PDF, .SAM, .ODG, and .CDR file formats. Public proof-of-concept exploits for some of the file formats are available so this update should be applied immediately.
- MS12-053 : Vulnerability in Remote Desktop Could Allow Remote Code Execution
One privately reported vulnerability in the Remote Desktop Protocol (RDP) was addressed in this update. This vulnerability can be exploited for remote code execution by an attacker sending specially crafted packets to the victim's machine running RDP. Although RDP isn't enabled by default on Windows OSes, it is often enabled on high priority servers in order to remotely administer them. This update should be applied to all systems.
- MS12-052 : Cumulative Security Update for Internet Explorer
- MS12-054 : Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution
Four privately reported vulnerabilities in various Windows networking components were addressed in this update. Three of the issues were in the remote administration protocol, two of which could be leverage for remote code access; the other is a denial-of-service. The print spooler service was also affected by a remote code execution vulnerability. An attacker could exploit these vulnerabilities by sending specially crafted packets to the affected services. Due to the severity of these issues the update should be immediately applied.