RDP, IE Security Fixes Top Microsoft Patch Tuesday

By Ken Presti
June 12, 2012 7:32 PM ET

Page 2 of 3

Among the bulletins listed as important, MS12-039 is intended to close vulnerabilities in Microsoft Lync that could allow remote code execution if a user views shared content that contains TrueType fonts that became embedded with malware.

“We've had some real serious problems over the last decade with TrueType fonts,” said Paul Henry, security and forensic analyst at Lumension. “It points to HTML issues in IE. So while Microsoft is calling it an important vulnerability, I think of this as a higher level priority because it impacts TrueType fonts as well as IE. It's not simply about the Lync communicator.”

“This was a vulnerability that Stuxnet and Duqu used,” said BeyondTrust’s Maiffret. “It had originally been patched in December but Microsoft actually reused the vulnerable TrueType parsing code, so there was another bulletin that Microsoft ended up releasing last month that basically fixed more products that reused that code. So this month, there's another vulnerability, seven months later, using the same vulnerability in Microsoft Lync. If your company is using Lync, then this is a very straightforward threat that needs to be patched.”

MS12-040 is aimed at a vulnerability in Microsoft Dynamics AX Enterprise Portal that could allow elevation of privilege if the user clicks on a malicious website. The patch enables Microsoft’s XSS Filter by default, as a means of closing the exposure.

“The fixes for Lync and AX are not going to run automatically through Windows update,” warned VMware’s Miller. “So you need to be aware that those patches are going to have to be manually located and downloaded. It's important that every month we look at how those patches are being distributed so that we don't miss something inadvertently.”

MS12-041 and MS12-042 both resolve Windows vulnerabilities that could allow elevation of privilege if an attacker logs onto a system and runs a malicious application. The attacker must have valid logon credentials and be able to logon locally to exploit these vulnerabilities.

NEXT: Another Flame Fix

<< Previous | 1 | 2 | 3 | Next >>

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	Name Of The Game: Top 10 States For Identity Theft A Federal Trade Commission report provides statistics on identity theft and fraud complaints in 2012. Learn which state has the dubious distinction of having the most victims.
	More Slide Shows