Internet Security Systems - AlertCon(TM)

December 2012 Microsoft Super Tuesday

Posted by YongChuan Koh on December 11, 2012 at 5:49 PM EST.

The Microsoft security update for Dec consists of seven bulletins covering 11 CVEs. Six of the bulletins are rated ‘Critical’ and updates should be applied immediately. In addition, two of the CVEs, CVE-2012-3214(Exchange) and CVE-2012-2556(Windows Driver), were publicly disclosed and their proof-of-concepts made available. Here is a summary of my thought on the critical updates that should be applied to affected systems immediately.

  • MS12-077 (KB2761465) Cumulative Security Update for Internet Explorer
    This bulletin addresses four privately reported vulnerabilities affecting IE versions 6-10. Among these were use-after-free of DOM objects, which could be exploited for remote code execution in the context of the affected user. This update should be applied to all systems immediately.

  • MS12-078 (KB2783534) Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
    This bulletin addresses two vulnerabilities, one of which (CVE-2012-4786) could be exploited for remote code access, while the other (CVE-2012-2556) is a DOS. Both vulnerabilities are triggered via OTF/TTF files, which could be embedded in malicious web pages or document attachments. Because these vulnerabilities impact Windows kernel-mode drivers, this update should be applied immediately, especially on critical machines.

  • MS12-079 (KB2780642) Vulnerability in Word Could Allow Remote Code Execution
    This bulletin addresses a single privately reported vulnerability in Microsoft Office's RTF parser. This could be exploited for remote code execution in the context of current user. The RTF parser is shared among Office components, so ways to exploit this vulnerability include using an Outlook email rendered as RTF and document files. This update should be applied immediately.

  • MS12-080 (KB2784126) Vulnerabilities in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution
    This bulletin addresses publicly disclosed remote code execution vulnerabilities that affect Microsoft Exchange. These vulnerabilities are due to the Outlook Web App's (OWA) WebReady Document Viewing feature, which uses Oracle's Outside-In technology, to render some types of file formats. The user could be exploited if the malicious file is viewed using OWA. If exploitation is successful, the attacker could run code on the server in the context of the Local System account.  These issues were originally addressed in Oracle's Oct 2012 Critical Update (http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html), and are now being updated in Exchange. Public proof-of-concept for some of the file formats are available, so this update should be applied immediately.

  • MS12-081 (KB2758857) Vulnerability in Windows File Handling Component Could Allow Remote Code Execution
    This bulletin addresses a single privately reported vulnerability in the way Windows parses file names. It could be exploited for remote code execution in the context of current user. To be affected, the user must be convinced to browse to the file with the specially crafted filename. This file could reside in a network shared drive, sent as an email attachment or contained in a hosted web page. Because of the multiple potential attack vectors, this update should be applied immediately.

  • MS12-082 (KB2770660) Vulnerability in DirectPlay Could Allow Remote Code Execution
    This bulletin addresses a single privately reported vulnerability in Microsoft DirectPlay. This vulnerability is due to a memory corruption issue as DirectPlay fails to properly handle crafted content. Attackers could embed this ActiveX control in malicious web pages or Office documents. This update should be applied immediately.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.