Tuesday, October 9, 2012

Microsoft Patch Tuesday, October 2012 – Legend of Zelda Edition

Microsoft Patch Tuesday, October 2012 – Legend of Zelda Edition:
Hope you enjoyed last months light patch Tuesday with only
two bulletins as this month we are right back at it with seven bulletins
covering everything from Elevation of Privilege, Denial of Service and Remote
Code Execution. There is only one critical update this month but there is also
the enforcement of 1024 bit digital certificates. Probably the most interesting
patch this month involves Lync, Microsoft’s enterprise messaging system, if
only for the reason that every time I read Lync I think Link, as in the hero of
Nintendo’s Legend of Zelda which I spent way too much time playing back in the
eighties.
Much like Link needs to get keys to open doors in Hyrule
Microsoft products will often use certificates to allow communication between
products. As of today Microsoft products will reject any certificates with RSA
keys of less than 1024 bits.  Microsoft
has made an optional patch available for the last two months to enforce this
rule but now it is no longer optional.
Even if you are not using 512bit keys this is an excellent opportunity
to update all your keys to 1024 bits or even more.
KeyLoZ




MS12-064 (KB 2742319)
CRITICAL
Remote Code Execution
in Microsoft Word

CVE-2012-0182
CVE-2012-2528
A specially crafted RTF file could allow an attacker to take
complete control of a system to install their own programs, delete data or even
create new accounts. (Sounds like something a WallMaster would do.)  The vulnerability is present in most versions
of Microsoft Word 2003, 2007, 2010 and even Sharepoint Server 2010 SP1 and is
caused by how Word handles memory when parsing certain files. This one can be a
little tricky because Microsoft Word is set as the default mail reader in
Outlook 2007 and 2010, which means that an attacker could leverage email as the
attack vector to get you to open the specially crafted RTF file. This
vulnerability has been hidden away in a dungeon (probably the Manji Dungeon)
and has not yet been seen in the wild.
WallmasterLoZ

MS12-065 (KB 27546070)
IMPORTANT
Remote Code Execution
in Microsoft Works

CVE-2012-2550
The last time I used Microsoft Works was version 2.0 on my
Mac SE so I was surprised to learn that the current version is 9.0 and is still
a supported and even a shipping product. Works 9.0 is still available at retail
but is mostly used by OEMs to include with systems. If you are using Works 9.0
you will want to pay attention to this one especially if you try to open
Microsoft Word files with your version of Works.  When Works attempts to convert a Word file it
can potentially cause system memory corruption that could allow an attacker to
execute arbitrary code. If you are using an older version of Microsoft Works
you should really think about upgrading. Microsoft doesn’t mention if the
vulnerability exists in older versions or not since they are no longer
supported, so to be safe you will want to upgrade.

MS12-066 (KB 2741517)
IMPORTANT
Elevation of Privilege
in HTML Sanitation

CVE-2012-2520
“But
wait! All was not lost. A young lad appeared. He skillfully drove off Ganon’s
henchmen and saved Impa from a fate worse than death. His name was Link.”
Link_NES

OK, this one affects more than just Lync but also Infopath,
Communicator, SharePoint, Groove and Office Web Apps.  However as soon as I read Lync I immediately
thought of our intrepid hero and his quest to save the lovely princess
Zelda.  But instead of being hunted by
the evil forces of Ganon this Lync is hunted by poorly sanitized HTML strings.
The bad strings could allow cross-site scripting attacks that could run scripts
in the context of the logged-on user.  If
you try to get the full Lync update through Automatic Update you won’t find it.
The update for Lync 2010 Attendee (user level install) has to be handled
through a Lync session so the update is only available in the Microsoft
Download Center.  This one has escaped
the dungeon and has been seen on a limited basis in the wild. (Just hiding
under the sand like a Peahat waiting to get you.)
PeahatSprite

MS12-067 (KB 2742321)
IMPORTANT
Remote Code Execution
in Sharepoint FAST Search Server 2010

CVE-2012-1766
You only need to worry about this patch if you have the
Advanced Filter Pack enabled on your FAST Search Server 2010 for SharePoint,
it’s disabled by default.  Exploitation
of this vulnerability could allow an attacker to run arbitrary code in the
context of a user account with a restricted token (Orange Rupee?). The flaw is
actually in the Oracle Outside-In libraries licensed from by Microsoft. This is
at least the second recent vulnerability we have seen in these libraries. While
this one has not yet been seen in the wild Microsoft thinks that code to
exploit this vulnerability is likely to exist within the next thirty days.
OrangeRupee

MS12-068 (KB 2724197)
IMPORTANT
Elevation of Privilege
in Windows Kernel

CVE-2012-2529
I hate reading “all supported releases of Microsoft
Windows”, it sends shivers up my spine like a Stalfos. However, this statement was
closely followed by “except Windows 8 and Windows Server 2012”, which isn’t
much consolation, but I’ll take it. This is a classic elevation of privilege
requiring an attacker to already have access to a system either through
legitimate credentials or some other vulnerability.  Once inside an attacker could use this
vulnerability to gain administrator level access.
LoZ_Stalfos_gray

MS12-069 (KB 2743555)
IMPORTANT
Denial of Service in
Kerberos

CVE-2012-2551
Unlike MS12-068 that affects just about everything MS12-069 is
only found in Windows 7 and Server
2008 R2. A specially crafted session request to the Kerberos server could
result in a denial of service. If you have a properly configured firewall in
place it will help protect your network from external attacks, sort of like
Link’s shield protects against Tektites. Of course that won’t do much good if
the attacker is already inside your network.
Tektite_LoZOrange

MS12-070 (KB 2754849)
IMPORTANT
Elevation of Privilege
in SQL Server

CVE-2012-2552
If you are running the SQL Server Reporting Service then you
have a problem validating input parameters which if exploited could cause an
elevation of privilege. The XSS filter in Internet Explorer 8, 9, and 10 can
protect users against this attack if it
is enable in the Intranet Zone, which is not the default. You can enable it by
going to Internet Options -> Security Settings -> Intranet Zone -> Custom Level -> Enable XSS Filter or just apply the patch offered through Automatic Updates. If
you decide to do neither and a user clicks on a specially crafted link in email
or browses to a specially crafted webpage, well, game over.

“Can
Link really destroy Ganon and save princess Zelda?
"Only
your skill can answer that question. Good luck. Use the Triforce wisely."
240px-Triforce_Logo