Vulnerability management experts are urging patching administrators to focus their efforts on critical updates to Internet Explorer and the remote desktop protocol (RDP) in Windows as part of Microsoft’s June 2012 Patch Tuesday. The software giant also issued a security advisory, warning of ongoing attacks targeting a Microsoft XML Core Services zero-day flaw.
We consistently see browsers and their plug ins as the primary attack vector for crimeware and advance persistent threats.
Marcus Carey, security researcher, Rapid7
Microsoft issued seven security bulletins, three “critical” and four “important,” that address 26 vulnerabilities in the company's product portfolio. The vulnerabilities could allow for remote code execution in Microsoft Windows, the .NET Framework and/or elevation of privilege in Windows and Dynamics AX if properly exploited.
MS12-037, a critical bulletin that addresses 13 vulnerabilities in Internet Explorer 6, 7, 8 and 9 that could allow for remote code execution. According to Qualys CTO Wolfgang Kandek, this bulletin is the most critical for two reasons: First, attackers are already targeting it; second because Internet Explorer is so widely used across industries.
Other vulnerability management experts agree with Kandek’s assessment. Some of the vulnerabilities fixed in Internet Explorer were discovered earlier this year by competitors in the HP-TippingPoint Pwn2Own contest. If an attacker successfully exploited the most severe of these vulnerabilities, remote code could be executed by visiting a specially crafted webpage in Internet Explorer.
“We consistently see browsers and their plug-ins as the primary attack vector for crimeware and advance persistent threats,” said Marcus Carey, a security researcher at Rapid7.
MS12-036, another high-priority bulletin, addresses a critical flaw in Windows XP, Vista, and 7, as well as Widows Servers 2003 and 2008. According to the release, vulnerability CVE-2012-0173 “exists in the way that the Remote Desktop Protocol accesses an object in memory that has been improperly initialized or has been deleted.”
This is one of the flaws discovered after an audit of the RDP code that followed the March 2012 Patch Tuesday release, which caused a stir among security experts who said worms would likely be developed to exploit CVE-2012-0002. Qualys’ Kandek said this likely won’t be the last patch issued for RDP since other coding errors were likely discovered during the investigation.
An attacker who exploited this month’s vulnerability, which is a reportedly even more reliable attack vector, could “install programs; view, change, or delete data; or create new accounts with full user rights,” according to Microsoft.
Jason Miller, a patch management expert and manager of research development at Palo Alto, Calif.-based VMware Inc., said the attack vector is unauthenticated, making it easier to exploit.
“If [attackers] find a machine that has RDP running on it, they can send it some malicious packets and gain access,” Miller said, and they don’t even have to know anything about your network.
Other experts said that although the RDP patch is critical, the good news is that patching and IT experts should be prepared to deal with it based on the fact that they’ve already done so recently. Both MS12-036 and MS12-037 will require a restart.
Attacks targeting XML Core Services
Microsoft said it is aware of active attacks targeting its XML Core Services, which processes and converts XML to HTML for display. Attackers can target the flaw in drive-by attacks or in an email message by tricking a victim to visiting a malicious webpage. The advisory includes a workaround for Internet Explorer that can be used until the investigation is complete and a permanent patch is prepared.
The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007. “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user,” Microsoft said in its advisory. XBAP applications are automatically disabled in IE 9 as the default setting.
‘Critical’ .NET Framework update
The other critical bulletin in the June release may require a restart, and addresses a serious vulnerability in the .NET Framework that could allow for remote code execution. The vulnerability would be triggered if a user visits a specially crafted webpage using a browser that can run XBAPs (XAML Browser Applications), which is the default setting for Internet Explorer 9. Experts believe XBAPs are relatively locked-down at this point, but they say it would be worth checking the browser’s settings.
Microsoft said the critical update affects .NET Framework 2.0 Service Pack 2, .NET Framework 3.5.1 and .NET Framework 4 on all supported editions of Windows.
In addition, Microsoft addressed remote code execution errors in the instant messaging client Microsoft Lync. Lync is not believed to be widely used, but the patch is recommended because it includes one publicly disclosed vulnerability in addition to three privately reported ones. The remaining three bulletins rated “important” address flaws that allow for the elevation of privilege in Microsoft Windows and Dynamics AX Enterprise Portal.