IT has 7 patches to deal with in December; 5 are critical and 2 are important. Fortunately, none are currently under active attack so that will hopefully set IT’s mind at ease as they begin to apply this set of patches.
2012 in Review
With the multitude of third-party application patching needed this year from the likes of Adobe, Java and even Apple, you likely didn’t notice Microsoft put out fewer patches in 2011 – 20% less in fact. In 2011, Microsoft Patch Tuesday released 100 bulletins for the calendar year, of which 34 were critical, 63 important and 3 moderate. In 2012, they reduced the total number of bulletins to 83 for the year, of which 35 were critical, 46 important and 2 moderate. It’s great to see that Microsoft’s Secure Coding Initiative is paying off, reducing the number of vulnerabilities in their software, resulting in an easier time for IT at Patch Tuesday time.
A look back over the last couple of years proves interesting. In 2011, January had 2 bulletins, while February had 12. March then went back down to 3, but April went up to 17. May had 2 and June went back up to 16. In contrast, January of this year had 7 patches, February had 9, then 6 in both March and April, and 7 in both May and June. In fact, only one month – September, at 3 – was lower than 6 or higher than 9. The degree of consistency makes it easier for IT to plan out the time and effort they’ll need to spend on Patch Tuesday each month.
December Patch Priority
The most important bulletin this month is MS12-077, affecting IE 9 and IE 10. It’s a critical severity rating. These are use-after-free issues. They affect only components that were introduced in IE9, which is interesting, because it means that it affects IE 9 and IE 10 and the downlevel platforms don’t really have the components. Microsoft has done some defense in depth hardening for those platforms to address these issues. However, because those platforms don’t have the affected components, they were not given a severity ranking.
The next priority is MS12-079, which is a Microsoft Word remote code execution vulnerability. While typical Word vulnerabilities are ranked important, this is ranked critical. Similar to a bulletin issued a few months ago, there’s an issue with RTF formatted data that can be parsed in the Outlook Preview Pane, executing the vulnerability. Because of that parsing, this will be very important to apply quickly.
Next, MS12-081 is a kernel mode drivers’ issue, ranked critical. Similar to a bulletin last month, this affects True Type and Open Type parsing. However, because executing on this vulnerability would be time consuming and difficult, this is less important than the Word and IE issues.
MS12-080 an Exchange vulnerability involving a remote code execution. A few months ago, Microsoft addressed Oracle Outside In vulnerabilities for the first time. This is a similar update addressing the recent Oracle update to Outside In. There’s never been an active attack on this, but it’s an important component, so it’s good to see Microsoft performing their due diligence here.
Then we have MS12-078, a remote code execution issue in the Windows file handling component, affecting Windows XP through Windows 7. Fortunately, Windows 8 is not affected here. Essentially, when Windows Explorer parses a file name, it hits this vulnerability.
MS12-082 affects a vulnerability in Direct Play, affecting all versions of Windows from XP through Windows 8. As we said last month, Windows 8 is unfortunately not perfect, security-wise, and we can expect updates for that operating system to become more common in 2013. If you use Direct Play to parse content in Office documents or things embedded in Office documents, this vulnerability will come into play. The Office documents will act as a vector, but it is a Windows level vulnerability.
Finally, MS12-083 is a vulnerability in IP HTTPS, which is a component in Direct Access. Direct Access is a common VPN authentication solution that checks corporate credentials when you log in to ensure they have not been revoked or expired. Essentially, this is a bug that doesn’t honor the revocation of time stamp, as you might see for corporate credentials after an employee leaves a company. This vulnerability would allow someone with a revoked certificate to log in and access corporate assets. This is ranked important if you use Direct Access.
There is also a Flash update, which is pretty common these days, and a rerelease for some code signing issues updating the code signing certificates.
Outside of Microsoft
Adobe has matched their update release to Patch Tuesday. This should be good news for you –it will help consolidate reboots and other issues.
Other notable issues outside of Microsoft this Patch Tuesday period:
Oracle was already feeling the heat with a new cross-vendor zero-day vulnerability reported in Java and is now facing additional pressure with multiple vulnerabilities reported in their widely used MySQL product. Several vulnerabilities were reported in early December by researcher “Kingcope” on the Exploit Database . The new MySQL exploits include a denial-of-service attack, a Windows remote root attack, two buffer overrun attacks on Linux, and one privilege escalation attack, also on Linux.
The widely used DNS software Bind 9.9.2 now has patches available to handle 26 different bugs and security issues. Additional information updates can be found here.
The SANS ISC has reported that exploit code has been made public for implementations of SSH from Tectia SSH and freeSSH/freeFTP. There are no available CVEs for tracking and there have not been any public announcements from either software vendor.