Hello all,

 

It’s that magical time again: Microsoft Patch Tuesday.  This week Microsoft released 9 new security patches covering a total of 16 vulnerabilities.  Along with the typical batch of vulnerabilities in Internet Explorer and a handful of privilege escalation vulns, MS has also patched a couple of vulns that have been actively leveraged by criminals for cyberattacks over the last few weeks.

 

This month’s patches include the following:

 

  • (MS12-043) Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)
  • (MS12-044) Cumulative Security Update for Internet Explorer (2719177)
  • (MS12-045) Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (2698365)
  • (MS12-046) Vulnerability in Visual Basic for Applications Could Allow Remote Code Execution (2707960)
  • (MS12-047) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523)
  • (MS12-048) Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442)
  • (MS12-049) Vulnerability in TLS Could Allow Information Disclosure (2655992)
  • (MS12-050) Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502)
  • (MS12-051) Vulnerability in Microsoft Office for Mac Could Allow Elevation of Privilege (2721015)

 

Of primary importance this month is MS12-043, which addresses a vulnerability in MS XML Core Services.  This vulnerability was first disclosed by Microsoft back in mid-June.  Within days we saw a working exploit incorporated into the popular Metasploit framework, quickly followed by other less reputable exploit kits.  This vulnerability provides an attacker with a means to push malicious code to a victim by luring them to a specially crafted web page (more commonly termed a drive-by-download).  The easy availability of exploits for this vuln make it a high risk in most organizations, and it deserves special attention.  In addition, MS12-046 has also seen limited exploits in the wild.

 

McAfee’s confirmed coverage for this month’s vulns is as follows:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 4 out of 16 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 7 out of 16 vulnerabilities this month.
  • McAfee Application Control is confirmed to provides protection against exploits of the critical MS12-043, and additional analysis is underway on the remaining vulns.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 9 out of 16 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

Our coverage for MS12-043 in particular is confirmed to be very good across the board.  On the endpoint we have coverage with HIPS and Application Control, and we have released DAT signatures to detect, block, and clean known exploits wherever they appear.  On the network we have IPS signatures designed to block attacks in progress, and coverage at the Web Gateway as well.  While many organizations might be tempted to pull the panic button on this patch, it’s worth taking a step back and considering the many layers of countermeasures that are likely already in place that mitigate the risk here.  These are the days when security technology pays for itself, giving you time to breathe and patch on your own schedule.

 

Additional research is being performed by McAfee Labs, and we expect coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.

 

You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast:

 

Scott

Solutions Architect
McAfee, Inc.