We’ve just published our latest analysis and threat-level assessments of this month’s Microsoft Patch Tuesday updates.
Here are the results in super-abbreviated form:
|Bulletin ID||Software component||MS threat level||SophosLabs assessment||Vuln type|
|MS12-072||Explorer (Windows shell)||Critical||High||RCE|
|MS12-076||Excel (Windows + Mac)||Important||High||RCE|
(RCE stands for remote code execution, where attackers may be able to trick the vulnerable software into running program code of their choice by feeding in maliciously-crafted data from the outside.)
Advice follows on the what, why and where of the patches rated High and Medium by SophosLabs.
MS12-071 – Cumulative Security Update for Internet Explorer
Three so-called “use after free” vulnerabilities are patched here, all for Internet Explorer 9.
Other versions of Internet Explorer (ironically including the one you should long have left behind, Internet Explorer 6) are OK, including Internet Explorer 10. So newly-configured Windows 8 and Windows Server 2012 computers, which come with Internet Explorer 10, don’t need this fix.
Also, since Internet Explorer isn’t part of Server Core installs – Microsoft’s lower-attack-surface-area flavours of Windows Server – those systems are immune.
A “use after free” bug happens when software gives back memory to the operating system in order to free up resources it no longer needs, but then carries on using that memory anyway.
Since someone else might innocently have altered the contents of that memory in the interim, a “use after free” is pretty much guaranteed to end in tears.
If those interim memory modifications are deliberately crafted by an attacker, the outcome is even worse: a remote code execution exploit.
MS12-072 – Vulnerabilities in Windows Shell
Here, a malevolently-created Windows Briefcase (one of Microsoft’s file synchronisation tools) could give an attacker remote control of your computer.
As in the case of MS12-071, Server Core installs aren’t affected. All other platforms are at risk and need patching, from XP to Windows 8, and from Server 2003 to Server 2012.
MS12-074 – Vulnerabilities in .NET Framework
Five separate vulnerabilities were patched here, including one that can be exploited for RCE through a dodgy proxy configuration file.
All platforms, from XP to Windows 8, and from Server 2003 to Server 2012, are at risk – including Server Core installs of 2008 and 2012.
MS12-075 – Vulnerabilities in Windows Kernel-Mode Drivers
Three separate kernel vulnerabilities were fixed, including one involving the processing of fonts (TrueType Fonts, or TTF files).
Because fonts can, and often are, embedded into web pages so they render precisely as the page designer wanted, this means that just visiting a web page could be enough to trigger a RCE event inside the kernel.
Again, XP to 8 and 2003 to 2012 (including Server Core installs) are vulnerable.
If you are looking for a “first amongst equals” patch to start with, I’d recommend these kernel driver fixes.
Treat the kernel as the adminstrator’s administrator and take kernel-mode RCE flaws as your greatest concern.
MS12-076 – Vulnerabilities in Microsoft Excel
The Excel bug patched here applies to Office for Windows (2003, 2007 and 2010), to Office for Mac (2008, 2011), and to the standalone Excel Viewer.
Since Excel files aren’t supposed to contain executable code – at least, not code that runs without clear warning to the user – they are often treated with comparative lack of concern when seen in emails or on web pages.
For what it’s worth, even after you’ve applied this patch, I recommend a high degree of scepticism about untrusted, remotely-delivered Excel files.
Since Excel files are often about money, and budgets, and financial planning, trusting them implicitly even if they don’t contain malware is a risky proposition!
Patch soon: as always, prevention is better than cure.