Microsoft fixes 28 security bugs

The Microsoft Security Bulletin Summary for June 2012 contains 7 bulletins addressing 28 security bugs. Three of the bulletins are rated “critical” and the rest “important.”

MS12-036 is a critical bulletin that addresses vulnerabilities allowing an attacker remote code execution related to the Windows Remote Desktop Protocol (RDP). This relates to MS12-020, which had organizations on high alert in March after Microsoft issued warnings that the vulnerability could be weaponized to result in widespread attacks. Up to now, MS12-020 has only been exploited as a reliable denial of service attack; however, from what I understand MS12-036 may offer a more reliable attack vector for exploitation. The silver lining is that after MS12-020, many organizations took preventative measures to disable RDP, especially at egress points in their networks. If organizations must run RDP on the Internet, they should test and deploy MS12-020 patches as soon as possible.

MS12-037 is also labeled as critical and affects Internet Explorer 6, 7, 8, and 9. This is a cumulative patch that addresses several vulnerabilities, including those disclosed by VUPEN at CanSecWest’s Pwn2Own hacking competition. MS12-037 should be priority number one for organizations and consumers. We consistently see browsers and their plugins as the primary attack vector for crimeware and advance persistent threats.

MS12-038 is a critical vulnerability that affects Microsoft Windows and the .NET Framework and is the second highest priority after MS12-037 due to its potential to affect organizations . MS12-038 allows an attacker to exploit systems if a user views a specially crafted webpage using a web browser. This could have limited affects if users operate under least privilege; however, we know that least privilege isn’t always enforced in organizations.

If you were paying attention to the this month’s advanced notification, Microsoft was supposed to patch important vulnerabilities related to Microsoft Office and Visual Basic with MS12-039. Instead, MS12-039 has been changed to update Microsoft Lync, formerly Microsoft Office Communicator. MS12-039 should only affect enterprise customers, although it is uncertain how large the actual deployment is of Microsoft Lync in enterprises. As a result of this change, organizations should also be on high alert as usual because Microsoft since pulled fixes for Microsoft Office related to Visual Basic. In reality we should always be wary of suspicious documents and attachments.

MS12-040 is related to Microsoft Dynamics AX 2012, which is a Microsoft enterprise resource planning software product. MS12-040 – although labeled as important – will make most organizations yawn because of the limited deployment of the product.

MS12-041 and MS12-042 are important bulletins that affects Microsoft operating systems, and could result in an escalation of privileges if successfully compromised. The MS12-041 vulnerability can be used on all modern Windows operating systems to escalate to administrative privilege level. MS12-042 also mitigates escalation of privilege vulnerabilities, but affects a select number of Windows operating systems not all, which is a bit strange. MS12-041 and MS12-042 has should affect both business and consumers.

Author: Marcus Carey, security researcher at Rapid7.