Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Patch Tuesday July 2012: MSXML Patched (sort of?), MDAC, IE9 (Mmm), Windows 8 glimpse

Posted July 10, 2012    Marc Maiffret

In short: Get MS12-043, MS12-045, and, if running IE9, MS12-044 patched and get back to that game of Where’s My Water?

MSXML 0day fixed?

This month’s Patch Tuesday bulletins bring an end to a zeroday vulnerability within MSXML that was first announced towards the beginning of June. Specifically MS12-043 has the fix that IT folks have been waiting a month for, while exploits have floated around, even within popular exploit toolkits. That is unless of course you are one of the unlucky people using MSXML 5.0, which Microsoft has not released a fix for as they are still finishing their testing.

Not sure if you are one of the unlucky ones still at risk of a zeroday within MSXML 5.0? Here is a quick breakdown:  Office 2003 and 2007, Office Word Viewer, Expression Web Edition, Office SharePoint Server 2007, and Groove Server 2007. The good news (dare I say context?), however, is that MSXML 5.0 is not on the pre-approved controls list and therefore gives a big warning to users who browse to a site that tries to load the MSXML 5.0 ActiveX control.

Tasty MDAC treat

Another stand out security bulletin this month is MS12-045, which covers a vulnerability within MDAC. MDAC is something that has been exploited plenty of times in the past, including CVE-2006-0003, which was leveraged by the vast majority of exploit toolkits. This new MDAC vulnerability looks to be something that also will make its way into exploit toolkits sooner rather than later given that it affects most OS’s and is straightforward to exploit.

IE 9 Wins!

Internet Explorer 9 is not only the “faster browser” this month, but also the fastest way to get you owned. MS12-044 specifically covers a critical vulnerability that affects only Internet Explorer 9. We are always a big fan of vulnerabilities that only exist in the latest versions of Microsoft software vs. older ones. It is almost some sort of karmic payback for the number of times Microsoft has decided to patch only new versions of their software (during internal code audits) vs. back porting those fixes to older, yet still supported, versions of their software. Picture slow motion paint being dropped on some IT guy’s head while “cyber criminals” steal the company goods specifically because of IE 9. That being said, you are still better off with IE9 than any of the previous versions of IE, so if you are working in IT, don’t let your corporate overlords use this as an excuse of why Internet Explorer 6 still makes sense—we remember what happened to Google, right?

Windows 8 sneak peak?

Another notable aspect of this Patch Tuesday is the fact that Microsoft has highlighted MS12-043 and MS12-044 as affecting the Windows 8 Consumer Preview. It is an interesting glimpse into the future to know that the critical MS12-043 (MSXML vulnerability) would have affected Windows 8 as well as the Internet Explorer vulnerability covered in MS12-044. Now just because the software versions were affected does not mean that exploitation would be as straightforward under Windows 8 vs. older operating systems. Only time will tell how well Windows 8 fairs, but certainly the fact that two of the nine bulletins released today affect Windows 8 is an interesting view of what may come in the future.

DLL Preloading (Make it stop, please.)

And no Patch Tuesday would be complete without an obligatory DLL Preloading vulnerability, which this July 2012 PT serves up within bulletins MS12-046. I do not really know what to say here except that if you are still allowing WebDAV through your perimeter, then your IT friends should make fun of you in the same vein that we “pity the fool” that would have been affected by DNSChanger (i.e. users running as Admin, not restricting egress DNS to known servers, etc…). Interestingly enough, there is another vulnerability MS12-048 that, while not DLL Preloading, is also partially mitigated through a lot of the same techniques we have previously recommended in mitigating DLL Preloading.

Wrap-Up and Vulnerability Expert Forum

Rounding out the rest of the bulletins for this month is a critical privilege escalation vulnerability (MS12-047) (which has probably been roaming “power plants” for a while), another SharePoint XSS vulnerability in MS12-050, and finally a less exciting Office for Mac vulnerability in bulletin MS12-051.

Don’t forget that tomorrow is our Vulnerability Expert Forum in which the BeyondTrust research team will be discussing this latest Patch Tuesday, as well as other interesting developments in security. You can sign up for the VEF here.

Leave a Reply

Additional articles

Restricted Area Sign

Implementing Least Privilege for Windows the Easy Way

Posted July 31, 2014    Morey Haber

The concept of least privilege states that asset users should have the lowest level of access privileges required to effectively conduct their jobs. Implementing least privilege can bring several benefits to your organization, including: Increased security by reducing the attack surface available to users and to potential attackers who compromise user systems via phishing, malware,…

, , ,
gartner market guide image - aug 2014

Introducing the Gartner Market Guide for Privileged Account Management

Posted July 29, 2014    Chris Burd

Gartner recently released a new Market Guide for Privileged Account Management (PAM), and we’d like to share a complimentary copy with you. The report includes PAM market analysis and direction, vendor overviews, and recommendations for selecting PAM solutions for your environment. BeyondTrust is one of two representative vendors (out of 20) to address all solution…

, , , , , , , ,
Integrating Least Privilege and Password Management to Solve Account Security Challenges

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

There is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field. Consider the challenge of privileged access:…

, , , , ,