Microsoft released patches for 23 security vulnerabilities today as part of a busy Patch Tuesday that includes critical fixes for issues for Microsoft Windows, Silverlight, Microsoft Office and the .NET Framework.
Of the seven bulletins, Microsoft recommends administrators turn their attention to two first: MS12-034 and MS12-029. Both bulletins are rated “critical,” address remote-code-execution issues and were given the highest rating on Microsoft’s “exploitability index.” MS12-034, however, ties together 10 fixes across several product lines that were bundled together as part of an update meant to implement the final fixes on a vulnerability exploited by the notorious Duqu malware.
Believed by many to be related to Stuxnet, Duqu was spotted in September exploiting a vulnerability affecting Microsoft Word. The company patched the bug with MS11-087, but other Microsoft products were discovered to contain the same vulnerability.
“At first glance, MS12-034 may seem to be addressing a number of unrelated vulnerabilities in unrelated products,” blogged Jonathan Ness, head of Microsoft’s Security Response Center Engineering team. “For example, why would a keyboard layout handling vulnerability be addressed in the same update as a Silverlight issue? However … we needed to address the font-parsing vulnerability (CVE-2011-3402) in a number of different products.”
“As each new product was added to the security update package, the vulnerabilities planned-to-be-addressed in the same binary were also included,” he continued. “Addressing CVE-2011-3402 required us to service ogl.dll, gdiplus.dll, win32k.sys, Silverlight, .NET Framework, etc. Because gdiplus.dll was being addressed, several other fixes that were scheduled to be released in the same binary were looped in to this update.”
“In a mixed bag of bulletins, MS12-034 stands out for its confusion factor,” said Andrew Storms, director of security operations at nCircle.
“Evidently, Microsoft discovered that the same bits of bad code that were fixed in MS11-087 last year were copied and pasted into other applications, so they needed to fix those, too,” he said. “Since other changes were pending for those applications, all kinds of other bug fixes not related to Duqu are bundled into this bulletin … Microsoft’s careful due diligence and adherence to their strict update processes may end up causing more confusion than clarity with this fix. It’s probably best not to spend too much time analyzing—just install the patch as soon as you can, and then move on.”
MS12-029 should also garner attention, as it addresses a critical bug in Microsoft Office that could lead to remote-code execution if the victim opens or previews a malicious Rich Text Format (RTF) file using a vulnerable version of Microsoft Office.
“In an email attack scenario, an attacker could exploit the vulnerability by sending specially crafted RTF-formatted data in the contents of an email message,” Microsoft noted in its advisory. “The vulnerability could be exploited when the specially crafted RTF email message is previewed or opened in Outlook while using Microsoft Word as the email viewer. An attacker could also exploit the vulnerability by sending a specially crafted RTF file as an attachment and convincing the user to open the specially crafted RTF file.”
In a Web-based attack scenario, “an attacker could host a Website that contains an Office file that is used to attempt to exploit this vulnerability,” according to Microsoft.
The company is advising customers to apply MS12-029 as soon as possible.
Also patched in the update are two critical vulnerabilities in the .NET Framework (MS12-035) that could enable an attacker to execute code if a victim views a specially crafted Webpage using a Web browser that can run XAML browser applications (XBAPs).
“The .NET vulnerabilities are also prominent in this month’s patches,” said Joseph Chen, engineering director, security technology and response, at Symantec. “Exploits for this vulnerability are likely to be hosted as drive-by downloads on maliciously created or otherwise compromised Websites. So, as always, we strongly advise avoiding sites of unknown or questionable integrity, to protect from attacks seeking to use these security holes.”
The remaining security bulletins are rated “important” and address issues in Microsoft Windows and Microsoft Office.