Microsoft has released nine bulletins addressing 16 vulnerabilities in the July 2012 edition of Patch Tuesday.
The most important bulletin this month that administrators should look at addressing first and foremost is the Security Bulletin addressing a Zero-Day vulnerability in Microsoft XML Core Services (MS12-043). During the June 2012 Patch Tuesday, Microsoft released a Security Advisory stating they were aware of active, but limited, attacks against vulnerability in Microsoft XML Core Services. In the past week, the code for this exploit has been made public, making this patch even more important in terms of severity. With this vulnerability, a user who browses to a malicious website with Internet Explorer can result in Remote Code Execution.
With the Security Advisory release, Microsoft offered their customers a few workarounds to mitigate the risk of an exploit happening on customer machines. If you have applied the workaround to disable Active Scripting in Internet Explorer, administrators may want to remove this locked down setting after applying the patches for this bulletin to return functionality to their users. A second option Microsoft provided to their customers is a FixIt tool that locked down MSXML with the Enhanced Mitigation Experience Toolkit (EMET). With this scenario, administrators should investigate whether to leave this lock down in place as it should not (in most cases) interfere with their users’ day-to-day browsing functionality.
There is one last note with MS12-043 that administrators should be aware of: Microsoft XML Core Services 5.0 contains the vulnerability, but a security bulletin has not been published for this version of the software. Microsoft is still testing the code fix for the vulnerability and will make the patch available when it is ready. Look for this patch to be available within the next two weeks or in the August 2012 Patch Tuesday.
Outside of MS12-043, there are two other bulletins that administrators will want to turn their focus on. Both of these bulletins continue the trend of vulnerabilities that can be exploited through web site browsing. Web browsing attacks through malicious websites is still the most common active attack.
We are seeing for the first time in a long time that Microsoft has gone consecutive months with a Cumulative Security Update for Internet Explorer. Typically, we can expect an update to Microsoft’s Internet Explorer browser every other month. Microsoft has released Security Bulletin MS12-044, a patch for Internet Explorer version 9, to address 2 vulnerabilities. If a user browses to a malicious website with Internet Explorer 9, the attack could result in Remote Code Execution.
Continuing with the browser based attacks this month Microsoft released Security Bulletin MS12-045. This security bulletin addresses two vulnerabilities with Microsoft Data Access Components (MDAC). Similar to the previous security bulletins mentioned, navigating to a malicious website with an unpatched system can result in Remote Code Execution. In addition, a user opening a Microsoft Office document with a malicious embedded ActiveX control can result in Remote Code Execution.
Microsoft also released two new security advisories. Microsoft Security Advisory 2719662 is showing how Microsoft is assisting administrators on hardening their network. Windows Vista and Windows 7 both include Windows Gadgets and Windows Sidebar. Both of these technologies could allow a user to load a malicious plugin. Microsoft has provided administrators a FixIt tool that disables Windows Gadgets and Windows Sidebar. It appears Microsoft is taking a more proactive approach to “patching” versus the older their older model of patching. As I state in all of my monthly webinars, if you do not use a program, remove it from the computer. This FixIt tool is another example of reducing the vulnerability landscape on computers.
With the other Microsoft Security Advisory (KB2728973), Microsoft released even more updates for their hardening of digital certificate effort. I will be talking later this week on this subject.
I will be going over the July Patch Tuesday in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our Monthly Patch Tuesday webinar. This webinar is scheduled for next Wednesday, July 11th at 11:00am CT. You can register for this webinar here.