Microsoft addressed serious flaws in Office, Windows and the .NET Framework in its May 2012 Patch Tuesday, issuing a combined update to repair the font parsing code exploited by the Duqu malware.
You have yourself a lot of different types of operating systems and different products that are covered inside of this. It’s going to touch a lot of different parts of the network.
Jason Miller, manager of research and development, VMware
The software giant issued seven bulletins, three critical, fixing 23 vulnerabilities across its product line.
It marked the second time since December that Microsoft updated software affected by the Duqu Trojan. Security researchers have been studying Duqu since October, when initial research found it sharing similar code to the notorious Stuxnet worm. Unlike Stuxnet, Duqu was not designed to disrupt critical processes. Instead it silently gathered information about industrial systems at manufacturers. The Office document attack vector leveraged by the Duqu malware was addressed by MS11-087, but in a blog post Microsoft engineer Jonathan Ness said the same code used to render custom fonts was found in other products, including third-party browsers.
As part of the Duqu fix ,MS12-034, issued today, fixes ten vulnerabilities in Windows Journal Viewer, Silverlight and the .NET Framework as well as a malicious keyboard layout file attack vector by adding security functionality used in Windows Vista down to Windows XP and Windows Server 2003.
The bulletin is the most significant due to its magnitude and the fact that the vulnerabilities can be triggered by a simple drive-by attack, said vulnerability expert Jason Miller, manager of research and development at VMware.
“You have yourself a lot of different types of operating systems and different products that are covered inside of this. It’s going to touch a lot of different parts of the network,” Miller said. In addition, he said three of the vulnerabilities were already publicly disclosed , making it even more important to get the necessary systems patched.
The patching process, will require a lot of patience from security experts. According to Miller, security pros should “take a look at the reports coming back on their systems and make sure you’re getting every patch. This one bulletin has over 30 patches in it,” each one about as important as the last, possibly excepting Silverlight, which isn’t as widely used.
Critical Office flaw
MS12-029, also rated “Critical” addresses a vulnerability in Office that could allow remote code execution due to a flaw in the way Office reads rich text format (RTF) documents.
Priority should also be given to MS12-029 because of the simple way the vulnerability can be triggered, said Wolfgang Kandek, CTO of Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc.
“What’s most critical is that, in a normal Office vulnerability, you always have to open a file to actually trigger a vulnerability…. In this case, you only have to preview a message in Outlook to trigger it,” Kandek said.. It can also be triggered by opening a malicious RFT file in an email attachment or by visiting a compromised website.
The Office vulnerability is dangerous because while filters often catch malicious files before they reach a user’s inbox, RTF files are very common and will probably be let through, said VMware's Miller. A successful attack can give an attacker full control of an affected system.
“An RTF document is going to deliver the payload here. In most cases you shouldn’t get certain types of files or attachments, but RTF is common and will likely get through,” Miller said.
Microsoft recommends the update for Microsoft Word 2003 and 2007, Microsoft Office for Mac 2008 and 2011, and all supported versions of Microsoft Office Compatibility Pack. It addresses the same vulnerability found in the MS12-030 security bulletin, and will reconfigure the way Microsoft Office parses RTF-formatted data.
The third bulletin rated “critical” by Microsoft repairs two vulnerabilities in the .NET framework. According to Microsoft, “The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted webpage using a Web browser that can run XAML Browser Applications (XBAPs).”
Both vulnerabilities addressed in this bulletin deal with the serialization process within all supported versions of the .NET Framework. Vulnerability CVE-2012-0160 occurs when the treats untrusted data as trusted. CVE-2012-0161 is caused when the .NET Framework improperly handles an exception during the process.
In both cases, Windows .NET applications could be used to bypass Code Access Security restrictions. Additionally, Microsoft said a website that contains a specially crafted XBAP could exploit this vulnerability if an attacker is able to convince a user to visit the site.
Kandek recommends implementing the patch, but another way to avoid this vulnerability is to turn off XBAP on the internet if it’s not being used. “If you don’t need it, disable it. That way you will end up with a more robust configuration,” he said.
Bulletins rated “Important”
The May round of updates also included four updates rated “important.” They address coding errors in Office and Windows, which could allow for remote code execution and elevation of privilege, respectively. Those two Windows updates require a restart, while the other five may require a restart.
MS12-030 resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft Office that could be exploited if a user opens a specially crafted Office file, allowing for remote code execution. Microsoft recommends the patch for all supported editions of Microsoft Excel 2003, 2007 and 2010, Microsoft Office 2007 and 2010, Microsoft Office for Mac 2008 and 2011, and supported versions of Microsoft Excel Viewer and Microsoft Office Compatibility Pack.
The Visio Viewer 2010 vulnerabilities addressed by MS12-032could also allow for remote code execution if a user opens a specially crafted Visio file. According to Microsoft, “A remote code execution vulnerability exists in the way that Microsoft Visio validates attributes when handling specially crafted Visio files” in all supported versions of Visio Viewer 2010.
MS12-032 is rated important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It modifies the way Windows Firewall handles outbound broadcast packets and the way the Windows TCP/IP stack handles the binding of an IPv6 address to a local interface to prevent an elevation of privilege.
The last bulletin, MS12-033, addresses one vulnerability in Windows Partition Manager that could also allow for elevation of privilege in all supported editions of Windows Vista, Windows 7 and Windows Server 2008 and 2008 R2. It corrects the way that Windows Partition Manager allocates objects in memory.