The Microsoft Security Bulletin Advance Notification for May 2012 contains 7 bulletins: three rated “critical” and the rest “important.” Just when most organizations and consumers have been fanning the flames of the first quarter, this serves notice that information security is a war and not a battle.
Bulletin 1 is a critical vulnerability in Microsoft Office. Since this bulletin is categorized as affecting Microsoft Office it’s safe to say that this is a underlying issue on how it processes data. The vulnerability will likely be able to be exploited by crafting a malicious file that can be opened by any Microsoft Office applications.
This is becoming a recurring theme for organizations and end users because it’s primed for phishing attacks. As we’ve learned over the past couple weeks, Mac users need to apply these patches as soon as possible as attackers are targeting them through Microsoft Office vulnerabilities.
Bulletins 2 & 3 are both rated as critical and affect all of Microsoft’s current operating systems, from Windows XP SP3 to Windows Server 2008. This means that all organizations and the entire user base will be affected by these critical bulletins. Bulletin 2 looks as if it can be exploited by crafting malicious Microsoft Office files, or perhaps crafting a malicious web page that would be processed by the vulnerable software, which is also likely the case with bulletin 3. Both of these critical bulletins would result in remote code execution if compromised.
Bulletins 4 & 5 are labeled as important, and would result in remote code execution if exploited. Both affect Microsoft Office applications. Labeling these bulletins as important indicates that an attacker will only inherit the permissions of the user. This means if a user is not an administrator, it’s a somewhat lower risk. However, if a user has administrator privileges, these types of flaws can have the same impact as a critical rating.
Bulletins 6 & 7 are elevation-of-privilege vulnerabilities, meaning that a regular user can upgrade their privileges to administrator level with any valid login. An attacker uses privilege escalation exploits to entrench and further infiltrate organizations and consumers. These type of vulnerabilities would be chained to other attack vectors to be effective.
Author: Marcus Carey, security researcher at Rapid7.