June 2012 Patch Tuesday Overview
There are two Microsoft Security Bulletins administrators should look at addressing first from this Patch Tuesday. MS12-037 affects all supported versions of Microsoft Internet Explorer and addresses 13 vulnerabilities. All of these vulnerabilities are privately disclosed and there have been no active attacks to date, but it is important to patch your browsers as soon as possible as they are commonly attacked. MS12-037 and the security bulletin for Microsoft Lync, MS12-039, are related. Both bulletins address vulnerability in the way HTML is sanitized in both Internet Explorer and Lync. If your machines have both of these products installed, you will need to install both bulletins to fully address this vulnerability.
MS12-036 is the second bulletin administrators should address immediately this month. This Security Bulletin fixes one vulnerability in Microsoft's RDP client. With this vulnerability, an unauthenticated attacker sends malicious RDP packets to a machine that has RDP enabled can result in Remote Code Execution. It is important to note a couple of items with this bulletin. First, RDP is not enabled by default on systems but the majority of administrators rely on RDP to manage their servers and workstations. Second, this type of an attack is an unauthenticated attack. An attack that allows and attacker to not be authenticated raises the severity of the vulnerability. Third, even if your machines do not have RDP enabled, administrators should still apply this bulletin to all of their machines. By installing this bulletin, administrators do not have to worry about a machine having RDP enabled at a later time. Without patching RDP, the machine would be instantly vulnerable to attacks.
This would also mark a great time for administrators to harden their network to lower the severity of future RDP attacks. RDP should only be available to machines on your local network. This can be controlled via a firewall program that blocks the RDP ports to a known and trusted local IP address range. It is important to note this will not stop and internal attack on RDP, but this will help mitigate some risk with attacks against RDP.
MS12-038 (.NET Framework) presents us this month with a new interesting case for Windows 8 preview users. In the case of MS12-038, users of the first Windows 8 Preview release will need to apply this bulletin. Any user that has moved up to the latest version of Windows 8 Preview will not have to apply this patch as it was already included in the build. As we go forward with the Preview builds of Microsoft software, particular attention is going to have to be made to the release notes of Security Bulletins.
There are two bulletins to take note of this month as the patches will not be distributed through Windows Update. The patch for Microsoft Lync Attendee in Security Bulletin MS12-039 and the patches for Microsoft Dynamics AX (MS12-040) are not available for this distribution method. This is common for these types of software installations. The Lync Antendee is intended to be distributed through the Lync console. Again, this is common in these types of software installations. The Lync Attendee is intended to be distributed through the Lync console. As you go through your Patch Tuesday, it will be important to scour your network to ensure you do not have these products installed. If you do have these products installed, you will need to manually update these software installations. Quite often we just assume our patch management product will cover all products and patches on Patch Tuesday. It is important to stay vigilant and read all information that is released by software vendors to ensure your network is 100% covered for vulnerabilities that have patches released for them.
On the Non-Microsoft front, Apple has released a new version of their Apple iTunes program. Apple iTunes 10.6.3 fixes two security vulnerabilities. Adobe also joined this Patch Tuesday with a security bulletin release for their ColdFusion product. APSB12-15 addresses one vulnerability. Last Friday, Adobe released new versions of their Adobe Flash and AIR program. APSB12-14 addressed seven vulnerabilities and should be deployed to your network as soon as possible as the Adobe Flash programs are commonly attacked.
I will be going over the June Patch Tuesday in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our Monthly Patch Tuesday webinar. In addition, I will be spending some time discussing the Flame virus situation. This webinar is scheduled for next Wednesday, June 13th at 11:00am CT. You can register for this webinar here.
- Jason Miller