The last Patch Tuesday of 2012

Today is the last Patch Tuesday of 2012. Its seven bulletins bring the total count for the year to 83, significantly down from last year’s 100 bulletins and even more from the 2010 count, which ended at 106 bulletins.

Maybe even more important than the raw numbers is the more regular release rhythm that Microsoft set this year. We see this as a clear sign of a more mature process.

Five of this month’s bulletins are rated as critical by Microsoft, meaning that the addressed vulnerabilities can be used by an attacker to gain complete control over the targeted machine.

Of the five, we think that MS12-079, a bulletin for Microsoft Word is the most important. The attack can be accomplished through e-mail using a flaw in the Rich Text Format (RTF). An attacker can gain control of a computer without end user interaction because Microsoft Outlook automatically displays the malicious text in the Preview Pane. A potential work-around is to manually configure the preview pane in Outlook’s Trust Center to use plain text only, but one loses a significant amount of functionality that way.

A close second in priority is the Internet Explorer bulletin MS12-077, which addresses vulnerabilities in Internet Explorer 9 and 10, the newest versions of IE that run under Vista, Windows 7 and Windows 8. Here, an attacker would have to lure the attack target to browse to a malicious webpage. This is a tad harder than sending the target a simple e-mail, another common attack method.

MS12-087 fixes a vulnerability in Windows Explorer and is triggered through a malicious Unicode filename. The attacker would have to control an SMB or WebDAV fileserver that the target accesses in order to exploit the vulnerability. A good mitigation for these types of attacks would be firewall SMB filesharing and WebDAV on the outbound firewall or proxy to restrict the use of these protocols to the internal network and limit their use on the Internet.

Author: Wolfgang Kandek, CTO, Qualys.