Hello all,


This week, once again, brings us the latest Microsoft PatchTuesday.  This week Microsoft released 9 new security patches (5 ratedcritical) covering a total of 27 vulnerabilities.  Nearly half of thevulns are addressed in a single patch, to MS Exchange Server.  Theremaining vulns are a pretty typical mix of OS, server apps, and workstationapps, including another new rollup patch for Internet Explorer.


This month’s patches include the following:


  • (MS12-052) Cumulative Security Update forInternet Explorer (2722913)
  • (MS12-053) Vulnerability in Remote Desktop CouldAllow Remote Code Execution (2723135)
  • (MS12-054) Vulnerabilities in Windows NetworkingComponents Could Allow Remote Code Execution (2733594)
  • (MS12-055) Vulnerability in Windows Kernel-ModeDrivers Could Allow Elevation of Privilege (2731847)
  • (MS12-056) Vulnerability in JScript and VBScriptEngines Could Allow Remote Code Execution (2706045)
  • (MS12-057) Important Vulnerability in MicrosoftOffice Could Allow for Remote Code Execution (2731879)
  • (MS12-058) Vulnerabilities in Microsoft ExchangeServer WebReady Document Viewing Could Allow Remote Code Execution (2740358)
  • (MS12-059) Vulnerability in Microsoft VisioCould Allow Remote Code Execution (2733918)
  • (MS12-060) Vulnerability in Windows CommonControls Could Allow Remote Code Execution (2720573)


The MS Exchange patch (MS12-058) sticks out this month,initially simply for the volume of vulnerabilities it addresses (13 individualvulns).  The vulns all have the same underlying root cause: a flawedlibrary supplied by Oracle to MS (and other ISVs), which has been incorporatedinto MS Exchange.  The Oracle “Outside In” libraries provide previews ofvarious document types to users of Outlook Web Access (OWA), allowing users toread docs directly in their web browser, without needing to download and openthe docs on their local PC.  In order to exploit one of these vulns, anattacker would send a user a malicious crafted doc, and the result would be theability to run arbitrary code on the Exchange server.  Oracle disclosedthe vulnerabilities in their libraries back in July, and MS quickly acknowledgedthat the issue affected Exchange.  Several weeks later, we have a patchfrom MS that deploys the updated Oracle libraries.


MS12-060 is important as well, as MS has disclosed that thisvulnerability has seen limited, targeted attacks, and there is reason tobelieve that more will be coming.  This vuln affects the TabStrip control,one of a set of ActiveX Common Controls within the Windows OS.  Anattacker who sent a user a malicious document, or lured the user to aspecially-crafted web page could install and execute payload code without theuser’s knowledge.  Attacks to date have primarily leveraged RTF documents.


McAfee’s confirmed coverage for this month’s vulns isexcellent:


  • McAfee VirusScan's buffer overflow protection isexpected to provide proactive protection against exploits of 23 out of 27vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected toprovide protection against exploits of 25 out of 27 vulnerabilities this month.(HIPS FTW!)
  • McAfee's Network Security Platform has newsignatures confirmed to protect exploits of 15 out of 27 vulnerabilities thismonth.
  • McAfee Application Control is confirmed toprovide protection against exploits of all 13 vulns included in MS12-060, andadditional analysis is underway on the remaining vulns.
  • McAfee Vulnerability Manager and Policy Auditorwill very shortly have content to assess whether your systems are exposed toany of these new vulnerabilities.


Total aggregate coverage thismonth: 26 out of 27!  Additional research is being performed by McAfeeLabs, and we expect coverage may improve as additional results roll in. As more details become available, you’ll find them on the McAfee Threat Center.


You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-timeupdates via email, or listening to AudioParasitics, the official McAfee Labspodcast:


Happy patching!


***Edit 8/15/12 ***


Some have asked about McAfee's exposure to the Oracle Outside In vulnerabilities. Several McAfee products use the Outside In libraries and are vulnerable, including:


  • McAfee Email and Web Security (EWS) 5.x Appliances
  • McAfee Email Gateway (MEG) 7.0 Appliance
  • McAfee GroupShield 7.0.x for Microsoft Exchange
  • McAfee Host Data Loss Prevention (Host DLP) 9.0
  • McAfee Security for Email Servers (Exchange & Domino)
  • McAfee Security for Microsoft SharePoint 2.5


For details on mitigating the risk of these, see https://kc.mcafee.com/corporate/index?page=content&id=SB10031