Vigilance Required this June Patch Tuesday
Paul Henry - June 12th, 2012
Continuing with Microsoft’s revamped security initiatives and in turn, an overall decrease in patches, we have seven bulletins from Microsoft this period that address a total of 22 vulnerabilities – three of which are critical and four of which will require a restart. Half way through 2012, we now have 35 patches which puts us slightly ahead of last year which saw a total of 99 patches.
IT should prioritize the 3 critical patches, MS12-36, MS12-037 and MS12-038 followed by the 4 important MS12-039, MS12-040, MS12-041 and MS12-042. As always the highest priorities are the critical issues impacting RDP, IE and .NET followed by the Important issues impacting Lync, Dynamics AX, KMD and Kernel issues. However the Lync issue also perhaps warrants additional priority attention – the underlying problems fixed includes an issue with TrueType Font Rendering which traditionally has been a serious issue that can also impact other Microsoft software and HTML Sanitization that can also impact IE.
While IT administrators should certainly be concerned with these issues, what seems to be top of mind for everyone is the recent discovery of Flame and its implications. In light of the latest Flame malware, on the heels of Stuxnet and Duqu, many organizations are concerned about how their systems could be targeted from the outside by attackers. With a remote code execution vulnerability for both IE and Windows 2008 Sever, organizations should be vigilant and apply patches immediately. Get the patch Microsoft issued on June 3, Security Advisory 2718704 here.
That being said, Microsoft handled the discovery of Flame in the best manner possible. In Microsoft’s most recent post, they explained that by default the attacker’s certificate would not work on Windows Vista or more recent versions of Windows. Attackers had to perform a collision attack to forge a certificate that would be valid for code signing on Windows Vista or more recent versions of Windows. On systems that pre-date Windows Vista, an attack is possible without an MD5 hash collision. This reiterates the criticality for IT administrators to update OSes to Vista or a later version.
With the public admission that Stuxnet was an offensive cyber weapon developed in part by the US and with increasing evidence that DuQu and Flame were also US Cyber Weapons, it was predicted that other countries would quickly follow suit. Those predictions have already come to fruition. India has announced that is currently finalizing plans which would give the Defense Intelligence Agency (DIA) and National Technical Research Organization (NTRO) the power to carry out unspecified offensive operations.
Microsoft Patch Tuesday Details
- MS12-036 (RDP) — 1 Critical CVE – RCE
- MS12-037 (IE) – 8 Critical CVEs, 3 Important, 2 Moderate – RCE
- MS12-038 (.NET) — 1 Critical CVE – RCE
- MS12-039 (Lync) – 4 important CVE’s — RCE
- MS12-040 (Dynamics AX) – 1 Important CVE — EoP
- MS12-041 (KMD) — 5 Important CVEs — EoP
- MS12-042 (Kernel) – 2 Important CVEs – EoP
Google issued a statement this week that they will warn Gmail users if they are being targeted by state-sponsored attacks. While this is a plausible effort, is there a point if it isn’t actionable? As we saw with Stuxnet, state-sponsored malware is the most complex kind (because unlike something from any hacker off the street, it has significant funding behind it). Also, the question arises of how Google will know whether or not a specific attack is state-sponsored. The issue of attribution is a tricky one. While questions remain as to how such a notification from Google will come about, one thing remains clear… we’ll be sure to see more of this activity, especially here in the U.S. after the government’s recent admission to Stuxnet’s creation.
Adobe released a security update for Flash Player 188.8.131.52 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 184.108.40.206 and earlier versions for Android 4.x, and Adobe Flash Player 220.127.116.11 and earlier versions for Android 3.x and 2.x. The corrected issues can potentially allow an attacker to take control of an impacted system. The update specifically addresses CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2038, CVE-2012-2039, CVE-2012-2040.
Adobe has also released a patch for Cold Fusion 9.0.1 to handle CVE-2012-2041.