BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Patch Tuesday July 2012: MSXML Patched (sort of?), MDAC, IE9 (Mmm), Windows 8 glimpse

Posted July 10, 2012    Marc Maiffret

In short: Get MS12-043, MS12-045, and, if running IE9, MS12-044 patched and get back to that game of Where’s My Water?

MSXML 0day fixed?

This month’s Patch Tuesday bulletins bring an end to a zeroday vulnerability within MSXML that was first announced towards the beginning of June. Specifically MS12-043 has the fix that IT folks have been waiting a month for, while exploits have floated around, even within popular exploit toolkits. That is unless of course you are one of the unlucky people using MSXML 5.0, which Microsoft has not released a fix for as they are still finishing their testing.

Not sure if you are one of the unlucky ones still at risk of a zeroday within MSXML 5.0? Here is a quick breakdown:  Office 2003 and 2007, Office Word Viewer, Expression Web Edition, Office SharePoint Server 2007, and Groove Server 2007. The good news (dare I say context?), however, is that MSXML 5.0 is not on the pre-approved controls list and therefore gives a big warning to users who browse to a site that tries to load the MSXML 5.0 ActiveX control.

Tasty MDAC treat

Another stand out security bulletin this month is MS12-045, which covers a vulnerability within MDAC. MDAC is something that has been exploited plenty of times in the past, including CVE-2006-0003, which was leveraged by the vast majority of exploit toolkits. This new MDAC vulnerability looks to be something that also will make its way into exploit toolkits sooner rather than later given that it affects most OS’s and is straightforward to exploit.

IE 9 Wins!

Internet Explorer 9 is not only the “faster browser” this month, but also the fastest way to get you owned. MS12-044 specifically covers a critical vulnerability that affects only Internet Explorer 9. We are always a big fan of vulnerabilities that only exist in the latest versions of Microsoft software vs. older ones. It is almost some sort of karmic payback for the number of times Microsoft has decided to patch only new versions of their software (during internal code audits) vs. back porting those fixes to older, yet still supported, versions of their software. Picture slow motion paint being dropped on some IT guy’s head while “cyber criminals” steal the company goods specifically because of IE 9. That being said, you are still better off with IE9 than any of the previous versions of IE, so if you are working in IT, don’t let your corporate overlords use this as an excuse of why Internet Explorer 6 still makes sense—we remember what happened to Google, right?

Windows 8 sneak peak?

Another notable aspect of this Patch Tuesday is the fact that Microsoft has highlighted MS12-043 and MS12-044 as affecting the Windows 8 Consumer Preview. It is an interesting glimpse into the future to know that the critical MS12-043 (MSXML vulnerability) would have affected Windows 8 as well as the Internet Explorer vulnerability covered in MS12-044. Now just because the software versions were affected does not mean that exploitation would be as straightforward under Windows 8 vs. older operating systems. Only time will tell how well Windows 8 fairs, but certainly the fact that two of the nine bulletins released today affect Windows 8 is an interesting view of what may come in the future.

DLL Preloading (Make it stop, please.)

And no Patch Tuesday would be complete without an obligatory DLL Preloading vulnerability, which this July 2012 PT serves up within bulletins MS12-046. I do not really know what to say here except that if you are still allowing WebDAV through your perimeter, then your IT friends should make fun of you in the same vein that we “pity the fool” that would have been affected by DNSChanger (i.e. users running as Admin, not restricting egress DNS to known servers, etc…). Interestingly enough, there is another vulnerability MS12-048 that, while not DLL Preloading, is also partially mitigated through a lot of the same techniques we have previously recommended in mitigating DLL Preloading.

Wrap-Up and Vulnerability Expert Forum

Rounding out the rest of the bulletins for this month is a critical privilege escalation vulnerability (MS12-047) (which has probably been roaming “power plants” for a while), another SharePoint XSS vulnerability in MS12-050, and finally a less exciting Office for Mac vulnerability in bulletin MS12-051.

Don’t forget that tomorrow is our Vulnerability Expert Forum in which the BeyondTrust research team will be discussing this latest Patch Tuesday, as well as other interesting developments in security. You can sign up for the VEF here.

Leave a Reply

Additional articles

Ponemon_Report

Big Surprise: Cost of Data Breaches Up; Are you Doing the *Right* Things to Mitigate the Costs?

Posted May 28, 2015    Scott Lang

Ponemon Institute Cost of Data Breach Study – costs are going up – to the tune of a 23% increase in total costs of data breaches, and a 12% increase in per-record cost since 2013. Are you doing the right things to mitigate costs?

Tags:
, ,
IRS-Data-Breach

The tip of the IRS data breach – and it IS an iceberg

Posted May 27, 2015    Morey Haber

The IRS has been warned for decades about their security best practices. And now, at least 100,000 Americans have had their records compromised. How? The IRS uses a service called “Get Transcript”.

Tags:
, , ,
dave-shackleford-headshot

Tales from the Datacenter: Vulnerability Management Nightmares

Posted May 27, 2015    Dave Shackleford

Vulnerability scanning, threat management, risk analysis, patching, and configuration management are some of the major activities usually associated with vulnerability management, and none of these are new…so why are we failing so badly at many of them?

Tags:
, ,