Microsoft issued nine security bulletins, addressing 26 vulnerabilities in its August 2012 Patch Tuesday, including a dangerous flaw in Windows Common Controls, which security experts agreed posed the biggest threat because the software giant has detected attacks attempting to exploit the flaw.
We’re aware of limited, targeted attacks attempting to exploit this vulnerability, but we haven’t seen public proof-of-concept code published.
Yunsun Wee, director, Microsoft Trustworthy Computing
The 26 vulnerabilities addressed this month affected a wide range of Microsoft products, including Windows, Office, networking components, Internet Explorer, and SQL Server. All of the critical bulletins and all but one of the important bulletins present a possibility of remote code execution.
Patching and vulnerability management experts said that MS12-060 is noteworthy because of the number of programs it affects. The coding error can be triggered in Microsoft Office, SQL Server, Commerce Server, Host Integration Server, Visual FoxPro and Visual Basic 6.0 Runtime.
"We’re aware of limited, targeted attacks attempting to exploit this vulnerability, but we haven’t seen public proof-of-concept code published," wrote Yunsun Wee, director of Microsoft Trustworthy Computing in the MSRC blog. "These are important factors to consider when determining deployment priority and Microsoft recommends that customers test and deploy this update as soon as possible."
The remote code execution vulnerability can be exploited if the victim views a malicious Web page or opens a Microsoft Office or WordPad document, Microsoft said. A successful exploit gives the attacker the same user rights as the logged-on user.
Microsoft addressed four vulnerabilities in Internet Explorer. MS12-052 is rated "critical" for all supported versions of Internet Explorer on Windows clients and Moderate for all supported versions of Internet Explorer on Windows servers. "The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," Microsoft said.
Microsoft addressed three vulnerabilities in its Remote Administration Protocol (RAP), a standard created by Microsoft to enable a computer to change functions on another system. MS12-054 is rated critical on Windows XP and Windows Server 2003; Important for all supported editions of Windows Vista; and Moderate for all supported editions of Windows Server 2008, Windows 7, and Windows 2008 R2. Microsoft said an attacker could use one of the flaws to send a send a specially crafted response to a Windows print spooler request.
MS12-058 addresses publicly disclosed critical vulnerabilities in Microsoft Exchange Server. "The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA)," Microsoft said.
In addition, Microsoft issued a critical update to its remote desktop protocol (RDP) addressed in MS12-053. It's the second time in recent months that Microsoft has had to repair the RDP. Users of Windows XP should understand the importance of the security update, warned Paul Henry, forensics and security expert at vulnerability management vendor Lumension. No authentication is need to perform remote code execution with RDP. The upside is that by default, RDP is not enabled on any Windows system, and computers without it enabled do not face a threat, Henry said.
Microsoft advisory on hardening software certificates
In addition to the bulletins, Microsoft issued Security Advisory 2661254. This update, which restricts the use of certificates with RSA keys less than 1024 bits in length, will be available in the Download Center as well as the Microsoft Update Catalog. In October 2012, the update will be released via Windows Update. For now, it is up to individual enterprises whether or not they want to apply the advisory, and experts recommend they do.
“Customers can proactively get that update, apply it to environment, and see if it will break anything,” said Amol Sarwate, director of vulnerability research at Qualys. Sarwate said companies should figure out how to deal with the bit lengthy requirement before it becomes mandatory.
Microsoft added an auto update feature for revoking fraudulent certifications in June, following the discovery of the Flame malware. The company has issued guidance about how it would block the use of cryptographic keys that are less than 1024 bits in its PKI blog.