On this, the second Tuesday of the month, Microsoft has issued seven security bulletins for Patch Tuesday. Three of the bulletins are rated critical, and the other four are rated important. The seven combined address 23 separate vulnerabilities impacting Microsoft Windows, Office, Silverlight, and the Net Framework. Customers should plan to install all of these updates as soon as possible.
Among the most critical is MS12-034 -- which affects Microsoft Office, Windows, Net Framework, and Silverlight, involves exploits that can be conducted via browser, email, file sharing or similar attack -- and can result in remote code execution, elevation of privilege, or denial of service.
“MS12-034 is the largest security bulletin I've seen Microsoft put out,” Jason Miller, R&D manager at VMware, told CRN. He goes on to explain that "The sheer size of this thing is immense because they are covering a lot of products and a lot of operating systems. There are about 120 types of product/service packs combinations where this patch would be applicable and there are 39 different patches associated with this one bulletin. So this is going to be all over the network. Pretty much all of your machines are going to be involved.”
Interestingly, these vulnerabilities stem from an earlier issue resolved by Microsoft last year.
The remote code-execution vulnerability used against Microsoft Office, Windows and Net Framework tie back to the TTF vulnerability used by Duqu,” said Joseph Chen, engineering director for security technology and response at Symantec, in a statement. "We recently found a new Duqu sample showing that the threat is still active. Microsoft has provided some further patching, in addition to the already issued patch for the vulnerability at the end of 2011.”
NEXT: MS12-029 Rated Critical
MS12-029, which addresses potential security problems in Microsoft Word that could allow hackers to seize control of an infected machine, is also rated critical.
"In this case, the attack vector leverages the Outlook preview pane," Andrew Storms, director of security operations at nCircle, told CRN. "You can receive an e-mail and have the attack triggered just through the preview pane without even opening the message," he said. "But the vulnerability only occurs if you have Word set up as the editor in Outlook, which is not the default setting." The attack for MS12-029 is also based on remote code execution.
"We also see a much larger patch of vulnerabilities affecting Microsoft Excel," added Symantec's Chen. "The patches are rated important rather than critical because you still get a prompt to download or open the malicious content rather than it infecting automatically, but it could still be used as a targeted attack.”
“The Net [Framework] vulnerabilities are also prominent in this month’s patches,” Chen concluded. “Exploits for this vulnerability are likely to be hosted as drive-by downloads on maliciously created or otherwise compromised websites. So, as always we strongly advise avoiding sites of unknown or questionable integrity, to protect from attacks seeking to use these security holes.”