Happy holidays and welcome to the final (knock on wood!) Patch Tuesday of 2012. This week Microsoft released 7 new patches, covering a total of 12 new vulnerabilities. The overall volume this month is fairly light, a trend which has more-or-less stayed true through all of 2012. In fact, this year MS patched the fewest vulnerabilities in any year since 2009. While the volume this month is low, the criticality is high, with critical patches for IE, MS Word, most flavors of Windows, and Exchange.
This month’s patches include the following:
- (MS12-077) Cumulative Security Update for Internet Explorer (2761465)
- (MS12-078) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2783534)
- (MS12-079) Vulnerability in Microsoft Word Could Allow Remote Code Execution (2780642)
- (MS12-080) Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2784126)
- (MS12-081) Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2758857)
- (MS12-082) Vulnerability in DirectPlay Could Allow Remote Code Execution (2770660)
- (MS12-083) Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass (2765809)
All bulletins MS12-077 through -081 are reported by MS as critical, with -082 and -083 listed as Important. Highest priority this month should be MS12-077 (browser exploits are always juicy targets, often exploited soon after disclosure), MS12-079 (ditto for MS Word) and MS12-080. The latter addresses vulns in an Oracle library embedded in Exchange, first disclosed by Oracle back in October. These vulnerabilities have been known for a while, have received a good deal of analysis, and it deserve quick attention.
It’s also striking to take a step back and consider the diversity of exploit vectors. With the vulnerabilities included in just these 7 patches, an attacker could subvert a system by:
- Tricking an IE user to visit a malicious web page (MS12-077)
- Convincing a user to open a document with a malicious embedded font (MS12-078)
- Sending a Word or Outlook user a specially-crafted Rich Text email message or document (MS12-079)
- Fooling a user into subscribing to a malicious RSS feed (MS12-080)
- Getting a user to just LOOK at a document with a malicious filename (MS12-081)
In all these cases, MS rates the exploitability index at “1”, indicating reliable exploits are likely in the next 30 days. While the raw numbers of vulnerabilities may be down this year, the methods available to the bad guys to do their dirty work continue to expand at a fairly alarming rate.
McAfee’s confirmed coverage for this month’s vulns is as follows:
• McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 6 out of 12 vulnerabilities this month.
• McAfee Host Intrusion Prevention is expected to provide protection against exploits of 8 out of 12 vulnerabilities this month.
• McAfee's Network Security Platform has new signatures confirmed to protect exploits of 4 out of 12 vulnerabilities this month (more analysis is underway).
• McAfee Application Control is confirmed to provide protection against exploits of 8 out of 12 vulnerabilities this month.
• McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.
Aggregate coverage (combining host and network-based countermeasure together) is 9 out of 12. Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in. As more details become available, you’ll find them on the McAfee Threat Center.