Microsoft patches 20 vulnerabilities

Microsoft Security Bulletin Summary for October 2012 contains 7 bulletins to patch 20 vulnerabilities.

MS12-064, rated at critical, affects Microsoft Word and would allow an attacker to send a malicious file which, when opened or previewed, would fully compromise the victim’s system. Organizations and consumers should apply this patch as soon as possible. This is the type of exploit that we have seen being used as a part of spear phishing attacks.

MS12-067 is an important bulletin which could be a concern for organizations running Microsoft FAST Search Server 2010 for SharePoint. FAST is Microsoft’s search engine for SharePoint intranet content, and exploitation of MS12-067 would result in remote code execution. Microsoft has already patched 13 vulnerabilities related to FAST.

The interesting thing about this vulnerability is that the vulnerable component is Oracle’s Outside In file format conversion library. This library is heavily used in the enterprise application space and is embedded into many file search and indexing applications, including mobile gateways such as Blackberry Enterprise Server. I would expect to see a rash of related security updates become available for all enterprise products using this library.

Oddly enough, even though the July bulletin included an update for Exchange 2007 and 2010 for Outside In flaws, the October one does not, which may point to an upcoming patch for Exchange server, or something specific about the issues identified in this bulletin that excludes Exchange as a potential target.

MS12-070 is an XSS vulnerability that could affect Microsoft’s SQL Server, although it affects the web interface, not the actual database server itself. However, successful exploitation of MS12-070 would result in an escalation of privileges.

MS12-066 is another important bulletin that affects a wide range of web-based collaboration products, including SharePoint, Groove, and InfoPath, as well as the hosted version of Microsoft Office. This flaw allows privilege escalation through an XSS vulnerability and organizations with untrusted users of these products should prioritize this patch.

Also note that Microsoft updated KB2758994 yesterday, indicating that an update is now available for Windows 8 and Windows 2012 Server that fixes a known vulnerability in the Adobe Flash Player plugin.

MS12-069, although only a Denial of Service, should also be prioritized, as it may allow an unauthenticated attacker on the local network to take down Kerberos services on a Windows domain controller. A repeated attack against an organization’s domain controllers could have a major impact of the functioning of the business.

The remaining bulletins should be triaged, tested, and applied as soon as possible.

Author: Marcus Carey, security researcher at Rapid7.