Patch Tuesday August 2012 – An Array of Client-Side and Server-Side Targets
August brings a wild array of Microsoft technologies to update this month, with both significant client side and server side targets in this month’s list of vulnerable software. Nine security bulletins (MS12-052 through MS12-060) are being released to update 26 enumerated vulnerabilities (13 from Microsoft, 13 from Oracle), most urgently including the code in Internet Explorer, an ActiveX Control exposed via Microsoft Word and Excel, and multiple network services. The Microsoft community is faced with five bulletins that contain secured code for a slew of critical rated CVE’s.
The MSCOMCTL.ocx ActiveX component exposed by Word, Excel, IE, and Wordpad has been actively and heavily abused in high value targeted attacks around the world over the past handful of months, because of flawed code described by CVE-2012-0158. We described an example of such an APT related exploit in June, and on a global scale, we continue to prevent newly developed exploits abusing CVE-2012-0158, especially with our “automatic exploit prevention”. Well, we are going to see the Word and Excel spearphish bait continue to chum the proverbial waters, as Microsoft patches CVE-2012-1856 this month. My guess is that we will see attackers casting their lines with more password protected archives containing these exploits, as network defenders tighten up their networks and network security solution developers improve their product capabilities to make it somewhat more difficult to reach better defended, high-value targets.
MS12-052 patches critical flaws in Internet Explorer code, including another one from the problematic “use-after-free” class of memory corruption errors described by CVE-2012-1526. These bugs are the sort that make their way into the COTS exploit packs like Blackhole and Phoenix, and have been included in mass exploitation schemes when WordPress and other platform bugs crop up. Multiple other bugs for Internet 7, 8 and 9 are all being patched, including the missing MSXML5 update for CVE-2012-1889 (only “certain versions” of Office 2003 and 2007 delivered that version of the component).
An odd set of bugs in string parsing network service code provides attackers already inside a network with a way to make their post-intrusion lateral movement within an enterprise. Microsoft predicts that public exploits will be available for these vulnerabilities within 30 days of this patch release. MS12-054 provides this critical but harder to reach path with secured code.
On the server side, Oracle’s buggy “Outside In” third party libraries running on Exchange are being patched – public reports and investigations of bugs in the content-indexing code first started surfacing in July. The US-CERT delivered a descriptive note for the problem on Jul 17th for not only Exchange, but Oracle Fusion Middleware, Guidance Encase Forensics, AccessData FTK, and Novell Groupwise. It appears to be the first time Microsoft has ever included a patch for Oracle code in their releases, but unfortunately, it’s probably not an indication that Oracle updates will be maintained and pushed with Microsoft Update on Windows anytime soon.
Microsoft provides a full list of this month’s security bulletin releases here.