Page 2 of 3
Among the bulletins listed as important, MS12-039 is intended to close vulnerabilities in Microsoft Lync that could allow remote code execution if a user views shared content that contains TrueType fonts that became embedded with malware.
“We've had some real serious problems over the last decade with TrueType fonts,” said Paul Henry, security and forensic analyst at Lumension. “It points to HTML issues in IE. So while Microsoft is calling it an important vulnerability, I think of this as a higher level priority because it impacts TrueType fonts as well as IE. It's not simply about the Lync communicator.”
“This was a vulnerability that Stuxnet and Duqu used,” said BeyondTrust’s Maiffret. “It had originally been patched in December but Microsoft actually reused the vulnerable TrueType parsing code, so there was another bulletin that Microsoft ended up releasing last month that basically fixed more products that reused that code. So this month, there's another vulnerability, seven months later, using the same vulnerability in Microsoft Lync. If your company is using Lync, then this is a very straightforward threat that needs to be patched.”
MS12-040 is aimed at a vulnerability in Microsoft Dynamics AX Enterprise Portal that could allow elevation of privilege if the user clicks on a malicious website. The patch enables Microsoft’s XSS Filter by default, as a means of closing the exposure.
“The fixes for Lync and AX are not going to run automatically through Windows update,” warned VMware’s Miller. “So you need to be aware that those patches are going to have to be manually located and downloaded. It's important that every month we look at how those patches are being distributed so that we don't miss something inadvertently.”
MS12-041 and MS12-042 both resolve Windows vulnerabilities that could allow elevation of privilege if an attacker logs onto a system and runs a malicious application. The attacker must have valid logon credentials and be able to logon locally to exploit these vulnerabilities.