August 2012 Patch Tuesday Overview
Marking the August 2012 edition of Patch Tuesday, Microsoft has released nine bulletins addressing 27 vulnerabilities.
Last month Microsoft released a Security Bulletin (MS12-043) addressing a Zero-Day vulnerability in the Microsoft XML Core Services. With the Security Bulletin release, Microsoft addressed the vulnerability in MS XML Core Services 3.0, 4.0 and 6.0. Microsoft did not release the patches for MS XML Core Services version 5.0 until this month. As you go through your patching cycle, it is important to remember to apply the patches for this additional (10th) bulletin that is left over from last month.
Microsoft also released a non-security update in part of their work on hardening digital certificates on Windows operating systems. Non-security update KB2661254 will block any digital certificates that are not 1024 bits in length. As this non-security update is a defense-in-depth update and there are no known active attacks related to the patch, administrators should concentrate on the Security Bulletin releases first this month. Although unlikely, there is a potential that this non-security update could break functionality on systems if not thoroughly tested first. At this time, this non-security update is only available on the Microsoft Download Center.
There are two bulletins administrators should look at applying right away to prevent malicious webpages from exploiting their systems. MS12-052 affects all supported versions of the Microsoft Internet Explorer browser. This is the third straight month we have seen some type of Security Bulletin released for Microsoft's browser.
When patching your Internet Explorer browsers this month, administrators will need to apply two patches to fully mitigate the risk of an attack. If Internet Explorer version 8 is installed, administrators will need to apply the Internet Explorer Cumulative Update (MS12-052) and Security Bulletin MS12-056. MS12-056 fixes a vulnerability in JScript that could lead to Remote Code Execution.
Windows Remote Desktop is appearing once again with a critical Security Bulletin. Similar to previous Microsoft Security Bulletins affecting RDP, an attacker can gain access to the system by sending an unauthenticated, malicious RDP packet to a Windows XP SP3 system with RDP enabled. As I said earlier this year, RDP is commonly used and turned on by administrators to remotely control their systems.
One Security Bulletin this month addresses a vulnerability that has seen targeted, limited attacks. MS12-060 addresses a vulnerability in Windows Common Controls that could lead to Remote Execution. If a user opens a malicious RTF document on an upatched system, an attacker can gain complete access to the system. RTF documents as attachments are common. In addition, most email security software do not block these types of attachments due to how commonly they are used.
The last Microsoft Security Bulletin administrators should pay particular attention to this month is MS12-054. This Security Bulletin addresses multiple vulnerabilities in the Windows Networking Components. If an attacker is able to share a resource with a malicious name on a network, the attacker can gain control of other systems with an unauthenticated response to the machine. An example of this is any resource, such as a shared printer, that machines will attempt to find on a network.
Adobe has also joined this edition of Patch Tuesday with their own Security Bulletin releases for their Acrobat, Reader, Flash and Shockwave programs. Adobe Security Bulletin APSB12-16, affecting Adobe Acrobat and Reader, addresses 20 Critical vulnerabilities. Adobe Security Bulletin APSB12-17, affecting Adobe Shockwave Player, addresses 5 Critical vulnerabilities. Adobe Security Bulletin APSB12-18, affecting Adobe Flash Player, addresses 1 Critical vulnerability. This vulnerability has seen limited attacks in the wild.
With every Adobe Security Bulletin release, Google also releases updates for their Google Chrome and Chrome Frame browsers. A new update released today by Google includes the latest version of Flash with their installation.
As with any Patch Tuesday, it is important to keep an eye on any other non-Microsoft vendor releasing Security Bulletins.
I will be going over the August Patch Tuesday in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our Monthly Patch Tuesday webinar. In addition, I will be spending some time discussing the Flame virus situation. This webinar is scheduled for next Wednesday, August 15th at 11:00am CT. You can register for this webinar here.
- Jason Miller