Microsoft Issues A Long List Of Fixes For Patch Tuesday6:27 PM EST Tue. Aug. 14, 2012
Microsoft has released a string of security fixes in conjunction with its August Patch Tuesday.
As previously indicated, Microsoft's dispatch includes nine bulletins, five of which are rated critical and are in need of immediate attention. Additionally, Oracle and Adobe have each announced patches of their own that largely correspond to effectively closing the Microsoft vulnerabilities.
One of the most critical Microsoft bulletins involves a vulnerability in Windows Common Controls. "This one takes the cake," said Andrew Storms, director of security operations at nCircle. "It's similar to a bug they patched in April, but this time the attack vector is an RTF file. The effect is somewhat reduced because you have to open the file; it's not a preview pane kind of thing. But, they are now saying that they have seen limited targeted attacks out in the wild."
But, Paul Henry, security and forensic analyst at Lumension Security, believes that the highest criticality for August goes to the XP patch for RDP. "This is a remote code vulnerability, and no authentication is required," he said. "We've had a string of RDP patches, and people might think they've already patched it. But, this is a different one, and it should be a top priority to get that patch rolled out."
Windows Remote Desktop (RDP) is in use by a substantial number of administrators as a tool in system management. "The key word for this exposure is 'unauthenticated,'" said Jason Miller, manager of research and development at VMware. "If the attacker sends malicious unauthenticated packets, that attacker could gain control. And, that usually translates to a worm of some sort. Even if you don't have an RDP enabled by default, it could be turned on at any time. So, any time you have anything that can be attacked by an unauthenticated user, you have to act right away."
NEXT: A Dual IE8 Fix
Microsoft is also issuing two patches for Internet Explorer. The company has begun issuing IE patches on a more frequent basis, and this one marks the third such bug fix in as many months.
"Keep in mind that there are two bulletins that you need to apply if you're using Explorer 8," said VMware's Miller. "You'll need both 52 and 56, and the vulnerability is not going to be fixed unless you put both patches into the system. It is a remote code execution, so you want to get this resolved as soon as possible." Miller added that this vulnerability also has Java implications, which is why the response comes in the form of two separate patches.
There is also a new patch to supplement last month's bug fix to support XML Core services. "When they patched it last month, they did versions 3, 4 and 6 of XML Core Services," said Miller. "Version 5 did not get patched last time, but here is the patch now. So, administrators need to keep this one from slipping under the radar."
One final Microsoft item is worthy of note, according to Lumension Security's Henry. "Three months ago, they made an announcement saying they're going to start limiting encryption to 1,024 bit or higher," he said. "Now they've released a voluntary patch to test what is going to break when the patch becomes a mandatory patch. If you are a software provider and you've sold software in other countries using 256-bit encryption to avoid the need for an export permit, this patch is going to cause problems. So, I think software vendors are going to be scrambling for export permits, which are often required when 1,024-bit encryption is sold internationally. This might not get a lot of attention right now, but it will very likely have far-reaching impacts."
In concert with the Redmond, Wash.-based software company's patch releases, Adobe and Oracle are also issuing patches of their own. Adobe is patching Acrobat, Acrobat Reader and Shockwave, although Miller expects there will also be a forthcoming patch to support Flash Player. "The Flash Player vulnerabilities are already attracting attacks, so you'll want to attend to this one pretty quickly," he said.
PUBLISHED AUG. 14, 2012