Microsoft Patch Tuesday Takes Aim At Key XML, IE9 Vulnerabilities

Microsoft has released nine bulletins addressing 16 vulnerabilities in this month's edition of Patch Tuesday. Three of the bulletins are rated critical, while the remainders are listed as important.

Arguably the most critical patch is designed to close an XML vulnerability that has been used "in the wild" for the past month and is now being integrated into the Metasploit toolkit and at least one of the popular exploit kits, called Blackhole, according to Wolfgang Kandek, CTO of Qualys.

"This is a really important one if you haven't already applied the temporary fix that Microsoft rolled out last month," he said. "There are four versions of XML that are vulnerable, and only one is being attacked at this point. The temporary fix is aimed at the version under attack, but the patch fixes three of the other vulnerable versions. As long as the attackers do not change their tactics, you should be okay for the short term. But, eventually you will need to install the patch."

[Related: Seven Security Threats Circling Your Network ]

At this point, XML version 5 is the one that remains vulnerable.

"By default, XML 5.0 has a bit of mitigation in place because it will prompt the user," explained Marc Maiffret, CTO of BeyondTrust. ’So, Microsoft was truly trying to work fast and could not patch everything in time.’

"Version 5 is not a simple drive-by," agreed Jason Miller, manager of research and development at VMware. "Something else will have to happen. But if this does not get patched by this time next month, I think we will start seeing more exploits focusing on that vulnerability."

The second critical bulletin is for Internet Explorer 9, addressing two critical vulnerabilities that can enable remote execution when the user visits a malicious webpage, resulting in full control of the device. This patch should be executed as quickly as possible.

"The vulnerability within IE9 is interesting because Microsoft is always touting IE9 as being the best," said Maiffret. "But in this case, it's the only Web browser affected by this critical vulnerability. This is your classic situation where you browse to a malicious websites and code gets executed on your computer. We are likely to see exploits coming out very shortly."

NEXT: MDAC Vulnerability

The third critical bulletin is for the Windows MDAC component, with an attack vector most likely through Web browsing. "It's used for database access," said Qualys’ Kandek. "There is no exploit out in the wild at this point, but it's not very difficult to do it. And, that's why it's recommended to be fixed as quickly as possible."

But, BeyondTrust's Maiffret counters that exploits targeting the MDAC vulnerability are probably right around the corner.

"This is very similar to a vulnerability that came out in 2006 and is in pretty much every exploit toolkit out there," he said. "This current one looks to be straightforward to exploit, so we expect to see it in a lot of exploit toolkits."

The fourth bulletin, which is rated as important, is geared primarily towards PCs configured for Asian character input. The specific vulnerability involves a remote code execution. Some attacks have already been reported in the Far East. ’It's mostly an international vulnerability," explained Kandek, ’but it makes sense to patch it in the United States, as well. It's especially important for big multinational corporations to take care of this.’

Additional bulletins were also featured in this month's patch Tuesday but have been assigned a lesser rank in terms of importance.

Microsoft has also issued an additional security advisory regarding digital certificates. "It's generally believed that RSA certificates with fewer than 1,024 key length are highly insecure," said Kandek. "So, Microsoft is making some changes to its certificate infrastructure, given what was learned from the Flame malware situation. Windows 8 will have improved certificate manager, and it's being backported into Windows 7. So, those two operating systems will get that, which will make certificate management more secure."

A second advisory is intended to disable "Gadgets" in Windows Vista and Windows 7 that had been used to show news and other features on users' screens. "It's been determined that these are highly vulnerable, so Microsoft is discontinuing support for them in Windows 7," explained Kandek. "They're very difficult to program securely, and they open many security holes. So, Microsoft is coming out with a patch, which is not mandatory, but will disable gadgets on the Windows 7 and Windows Vista desktop in order to enhance security. In Windows 8, gadgets do not exist anymore."

"It's kind of interesting that Microsoft is providing tools for administrators to help reduce the threat landscape,’ summarized VMware’s Miller. ’We might be seeing a shift here with Microsoft moving beyond patching vulnerabilities towards preventing these sorts of things from happening in the future. They're really taking a different step. Instead of being reactive, they're trying to be more proactive.’

PUBLISHED JULY 10, 2012