It’s everyone’s favorite Tuesday: Microsoft Patch Tuesday! This month Microsoft released 7 patches, addressing a total of 20 vulnerabilities. One of these patches is rated critical by Microsoft (MS12-064), which addresses a pair of code execution vulns in MS Word. The rest are rated Important by Microsoft.
Before diving into the regular monthly patches, let’s start with a quick wrap-up of the recent out-of-cycle activity from Microsoft. On September 21, 2012, MS released a rare out-of-cycle patch for Internet Explorer:
- (MS12-063) Cumulative Security Update for Internet Explorer (2744842)
This patch addressed 5 distinct vulnerabilities in IE 6 - IE 9. One of these was quite concerning, as it had been fairly broadly exploited in the wild, including a published exploit module in the popular framework, Metasploit. Given the high-profile nature of the threat, MS expedited a patch rather than wait for the next regularly scheduled patch cycle. This is the first out-of-cycle Microsoft patch since December 2011. Much has been written about this patch (and the related exploits) elsewhere, including some excellent write-ups by McAfee Labs:
This month’s patches include the following:
- (MS12-064) Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2742319)
- (MS12-065) Vulnerability In Microsoft Works Could Allow Remote Code Execution (2754670)
- (MS12-066) Vulnerabilities in HTML Sanitization Component Could Allow Elevation of Privilege (2741517)
- (MS12-067) Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Elevation of Privilege (2742321)
- (MS12-068) Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2724197)
- (MS12-069) Vulnerability in Kerberos Could Allow Denial of Service (2754673)
- (MS12-070) Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849).
Of this month’s patches, most noteworthy is the patch to Microsoft Word (MS12-064). This patch addresses 2 vulnerabilities in MS Word. These are fairly typical client-side application vulns, where an attacker who convinces their victim to open a specially crafted, malicious document could execute arbitrary code as the victim user. A similar vulnerability in MS Works 9 (MS12-065) would be equally critical, although this application is rarely deployed in enterprise environments.
McAfee’s confirmed coverage for this month’s vulns, as well as last month’s IE zero-day, is excellent:
- McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 25 out of 25 vulnerabilities this month. 100% coverage!
- McAfee Host Intrusion Prevention is expected to provide protection against exploits of 25 out of 25 vulnerabilities this month. 100% coverage!
- McAfee's Network Security Platform has new signatures confirmed to protect exploits of 10 out of 25 vulnerabilities this month, including all the out-of-cycle IE vulns as well as the critical MS Word vulns.
- McAfee Application Control is confirmed to provide protection against exploits of 8 out of 25, including all the out-of-cycle IE vulns as well as the critical MS Word vulns.
- McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.
In short, excellent coverage across the board. McAfee’s customers are quite well protected via a range of countermeasures. Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in. As more details become available, you’ll find them on the McAfee Threat Center.