Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Patch Tuesday July 2012: MSXML Patched (sort of?), MDAC, IE9 (Mmm), Windows 8 glimpse

Posted July 10, 2012    Marc Maiffret

In short: Get MS12-043, MS12-045, and, if running IE9, MS12-044 patched and get back to that game of Where’s My Water?

MSXML 0day fixed?

This month’s Patch Tuesday bulletins bring an end to a zeroday vulnerability within MSXML that was first announced towards the beginning of June. Specifically MS12-043 has the fix that IT folks have been waiting a month for, while exploits have floated around, even within popular exploit toolkits. That is unless of course you are one of the unlucky people using MSXML 5.0, which Microsoft has not released a fix for as they are still finishing their testing.

Not sure if you are one of the unlucky ones still at risk of a zeroday within MSXML 5.0? Here is a quick breakdown:  Office 2003 and 2007, Office Word Viewer, Expression Web Edition, Office SharePoint Server 2007, and Groove Server 2007. The good news (dare I say context?), however, is that MSXML 5.0 is not on the pre-approved controls list and therefore gives a big warning to users who browse to a site that tries to load the MSXML 5.0 ActiveX control.

Tasty MDAC treat

Another stand out security bulletin this month is MS12-045, which covers a vulnerability within MDAC. MDAC is something that has been exploited plenty of times in the past, including CVE-2006-0003, which was leveraged by the vast majority of exploit toolkits. This new MDAC vulnerability looks to be something that also will make its way into exploit toolkits sooner rather than later given that it affects most OS’s and is straightforward to exploit.

IE 9 Wins!

Internet Explorer 9 is not only the “faster browser” this month, but also the fastest way to get you owned. MS12-044 specifically covers a critical vulnerability that affects only Internet Explorer 9. We are always a big fan of vulnerabilities that only exist in the latest versions of Microsoft software vs. older ones. It is almost some sort of karmic payback for the number of times Microsoft has decided to patch only new versions of their software (during internal code audits) vs. back porting those fixes to older, yet still supported, versions of their software. Picture slow motion paint being dropped on some IT guy’s head while “cyber criminals” steal the company goods specifically because of IE 9. That being said, you are still better off with IE9 than any of the previous versions of IE, so if you are working in IT, don’t let your corporate overlords use this as an excuse of why Internet Explorer 6 still makes sense—we remember what happened to Google, right?

Windows 8 sneak peak?

Another notable aspect of this Patch Tuesday is the fact that Microsoft has highlighted MS12-043 and MS12-044 as affecting the Windows 8 Consumer Preview. It is an interesting glimpse into the future to know that the critical MS12-043 (MSXML vulnerability) would have affected Windows 8 as well as the Internet Explorer vulnerability covered in MS12-044. Now just because the software versions were affected does not mean that exploitation would be as straightforward under Windows 8 vs. older operating systems. Only time will tell how well Windows 8 fairs, but certainly the fact that two of the nine bulletins released today affect Windows 8 is an interesting view of what may come in the future.

DLL Preloading (Make it stop, please.)

And no Patch Tuesday would be complete without an obligatory DLL Preloading vulnerability, which this July 2012 PT serves up within bulletins MS12-046. I do not really know what to say here except that if you are still allowing WebDAV through your perimeter, then your IT friends should make fun of you in the same vein that we “pity the fool” that would have been affected by DNSChanger (i.e. users running as Admin, not restricting egress DNS to known servers, etc…). Interestingly enough, there is another vulnerability MS12-048 that, while not DLL Preloading, is also partially mitigated through a lot of the same techniques we have previously recommended in mitigating DLL Preloading.

Wrap-Up and Vulnerability Expert Forum

Rounding out the rest of the bulletins for this month is a critical privilege escalation vulnerability (MS12-047) (which has probably been roaming “power plants” for a while), another SharePoint XSS vulnerability in MS12-050, and finally a less exciting Office for Mac vulnerability in bulletin MS12-051.

Don’t forget that tomorrow is our Vulnerability Expert Forum in which the BeyondTrust research team will be discussing this latest Patch Tuesday, as well as other interesting developments in security. You can sign up for the VEF here.

Leave a Reply

Additional articles


Webinar March 4th: Recreating the Carbanak Breach & Techniques for Mitigating Similar Attacks

Posted March 3, 2015    Lindsay Marsh

Join BeyondTrust Research and Development team for an in-depth live webinar that will explore the attack vectors used in the Carbanak Bank Breach and share successful mitigation techniques needed to prevent this type of attack.

, ,
VMware Hardening Guidelines-img3

How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS

Posted February 27, 2015    BeyondTrust Research Team

Retina CS Enterprise Vulnerability Management has included advanced VMware auditing capabilities for some time, including virtual machine discovery and scanning through a cloud connection, plus the ability to scan ESX and ESXi hosts using SSH. However, in response to recent security concerns associated with SSH, VMware has disabled SSH by default in its more recent…

, , , ,

Privileged Passwords: The Bane of Security Professionals Everywhere

Posted February 19, 2015    Dave Shackleford

Passwords have been with us since ancient times. Known as “watchwords”, ancient Roman military guards would pass a wooden tablet with a daily secret word engraved from one shift to the next, with each guard position marking the tablet to indicate it had been received. The military has been using passwords, counter-passwords, and even sound…

, , ,