Microsoft released six comprehensive security updates
This month Microsoft issued six bulletins, four critical, two important, addressing 11 distinct vulnerabilities. Organizations should focus most of their attention on MS12-027. What makes this bulletin stand out is that Microsoft is aware of attacks in the wild against it and that it affects an unsually wide-range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime.
Attackers have been embedding the exploit for the underlying vulnerability CVE-2012-0158 into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail. Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.
Next is MS12-023, an update to Internet Explorer. It contains four critical vulnerabilities and affects all versions of Microsoft’s browser. Attacks can exploit the vulnerabilities by setting up a malicious webpage. MS12-023 has an Exploitability Index of 1, meaning that Microsoft believes that an attack can be crafted within the next 30 days.
By the way, this update does not include the fix for the vulnerability found during last month’s PWN2OWN contest at CanSecWest 2012, which will probably be fixed by another IE update next month. This month’s IE update also brings a more robust way of handling JavaScript self-XSS in the browser’s address bar. Late last year there were several Facebook scams that used that mechanism to plant undesired content on user’s walls.
MS12-024 and MS12-025 are the remaining critical vulnerabilities and address a flaw in Authenticode in Windows and a vulnerability in .NET’s XBAP, the browser based application module. The flaw in MS12-024 allows malware to hitch a ride inside a legitimate software package and silently infiltrate the system as the user proceeds with the installation of the legitimate package. MS12-025 fixes a flaw in Microsoft’s .NET XBAP mechanism that would allow an attacker to run arbitrary code on the machine.
Similar to the situation with Java we recommend turning off XBAP in the Internet zone of Internet Explorer, since we typically associate XBAP as being used for internal application delivery only. For details on how to roll out this type of change, see this blog post by Eric Law that shows how IE9 implements this restriction already in its default configuration.
Also today Adobe released an update to Adobe Reader (APSB12-08). The update addresses both Adobe Reader 9 and 10 and contains fixes for critical vulnerabilities. Adobe assigned a “Priority Rating” of “1” to the update, which recommends installation within the next three days.
One more thing to note: this month starts the 2 year countdown to obsolescence for Windows XP. In April of 2014 Microsoft will stop supporting XP. Nevertheless Windows XP still has an installed base of 35% worldwide with especially high rates of over 70% in some Asian countries. Organizations and end-users need to start planning for their migration to a more recent version of the OS before Microsoft stops issuing any more security updates.