Patch Tuesday - even Android and Windows RT get a look in

Filed Under: Adobe, Adobe Flash, Android, Featured, Microsoft, Security threats, Vulnerability, Windows

This month's Patch Tuesday includes bulletins from both Microsoft and Adobe, and covers a range of platforms and products.

There are updates in the mix for everything from Android to Windows RT, and from the Word Viewer to Exchange.

Here's a tabular overview:

Bulletin ID Software component Vendor level SophosLabs assessment Vuln type
ASPB12-27 Flash Critical High RCE
MS12-077 IE Critical High RCE
MS12-078 Kernel drivers Critical High RCE
MS12-079 Word Critical High RCE
MS12-080 Exchange Critical High RCE
MS12-081 File handling Critical High RCE
MS12-082 DirectPlay Important High RCE
MS12-083 DirectAccess Important Critical Bypass

(RCE stands for remote code execution, where attackers may be able to trick the vulnerable software into running program code of their choice by feeding in maliciously-crafted data from the outside. Bypass means that a security check that ought to block something can be avoided.)

Here are some words of wisdom on the items rated Critical by Adobe and Microsoft:

APSB12-27 - Security updates available for Adobe Flash Player

Adobe's Flash updates come with a bewildering range of version numbers, spelled out in excruciating detail in Adobe's own bulletin.

Windows goes to 11.5.502.135, OS X to 11.5.502.136, and Linux to 11.2.202.258, except if you have Chrome, when you end up with 11.5.31.5, but not on Android. And except if you have IE 10 on Windows 8, when you'll end up in the middle of the pack with 11.3.377.15.

Confused? I am, but we are nearly there, so I shall plough on: Android 4.x users get 11.1.115.34, whilst Android 3.x users lag right at the back of the field, on 11.1.111.29.

The good news is that you can, if you want, just let Adobe decide for you, and then you don't need to worry about the version number.

Ironically, the bad news is that with so many different versions to support and test, you might feel disinclined to cede control of your updates to Adobe, whereupon you will need to worry about the version number.

My inclination is to say, "Just do it," unless your job genuinely (and I mean genuinely - no cheating!) depends on Flash content displaying flawlessly on your computer.

MS12-077 - Cumulative Security Update for Internet Explorer

Three more use-after-free bugs again this month, potentially leading to RCE (remote code execution).

All Internet Explorer versions are affected, from IE 6 to IE 10, including on Windows RT.

MS12-078 - Vulnerabilities in Windows Kernel-Mode Drivers

In another follow-on from last month, bugs in font-handling code put the kernel itself at risk.

Fonts can, and often are, embedded into web pages, so that visiting a web page - even though you're just a plain old user - could be enough to trigger a remote code execution event inside the kernel.

Like last month, Windows XP to Windows 8 and Server 2003 to Server 2012 are vulnerable.

Even Server Core installs are vulnerable, though you might consider the risk to be lower there, since you can't browse from them.

MS12-079 - Vulnerability in Microsoft Word

Where MS12-078 involves the kernel choking on font files, this one involves Office choking on Rich Text Format (RTF) files.

Watch out, because this vulnerability doesn't just affect your standalone installation of Word.

You could also get owned by poisoned RTFs previewed in Microsoft Office, opened in the Word Viewer application (sometimes seen as a lower-risk way of looking at files from untrusted sources), or accessed via SharePoint.

MS12-080 - Vulnerabilities in Microsoft Exchange Server

Any vulnerability in attachment handling inside Exchange itself is cause for concern (and for prompt patching).

As in the font-processing kernel bug above, this vulnerability means that actions by a user in one part of your ecosystem may trigger an exploit in another.

At worst, even a remote user sitting in a cybercafe could - quite innocently - trigger bad things on your Exchange server.

This could happen if an Outlook Web Access user tried to view a dodgy file that had been sent by email, thanks to the WebReady Document Viewing feature.

Here, attachments are transcoded - converted on the fly - on the server from their native form to a form that can be displayed conveniently in a browser. So attachments are seen remotely, but processed (as LocalSystem) on your Exchange server.

This is probably a good one to patch first, if you don't intend to do them all at once.

MS12-081 - Vulnerability in Windows File Handling Component

This bug shows up when Windows tries to deal with a file or folder having a specially-crafted name.

The file itself isn't the problem - it's the name that is malicious, so the vulnerability is triggered by malicious file metadata, rather than by malicious content.

(Visiting a regular web page that includes a list of files isn't enough, since that type of listing is produced by the web server in HTML, and merely displayed in your browser like any other web page.)

Most file browsing takes place on internal networks using SMB or CIFS (Windows file shares), so the risk of exposure to untrusted external file servers ought to be limited, at least on most business networks.

But Windows supports WebDAV, which is a way of using HTTP-like requests to access external file systems across the internet. This sort of file browsing could, therefore, expose you to this vulnerability.

Please patch soon: as always, prevention is better than cure.

, , , , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog