Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Microsoft Patch Tuesday, October 2012 – Legend of Zelda Edition

Hope you enjoyed last months light patch Tuesday with only two bulletins as this month we are right back at it with seven bulletins covering everything from Elevation of Privilege, Denial of Service and Remote Code Execution. There is only one critical update this month but there is also the enforcement of 1024 bit digital certificates. Probably the most interesting patch this month involves Lync, Microsoft's enterprise messaging system, if only for the reason that every time I read Lync I think Link, as in the hero of Nintendo's Legend of Zelda which I spent way too much time playing back in the eighties.

11404_b6f46a02-7f16-4c3e-91f7-b403e95be22e

Much like Link needs to get keys to open doors in Hyrule Microsoft products will often use certificates to allow communication between products. As of today Microsoft products will reject any certificates with RSA keys of less than 1024 bits. Microsoft has made an optional patch available for the last two months to enforce this rule but now it is no longer optional. Even if you are not using 512 bit keys this is an excellent opportunity to update all your keys to 1024 bits or even more.

 

MS12-064 (KB 2742319)

CRITICAL

Remote Code Execution in Microsoft Word

CVE-2012-0182CVE-2012-2528

8782_39cf2b55-0b5d-4c55-9797-3b3ae74a94df

A specially crafted RTF file could allow an attacker to take complete control of a system to install their own programs, delete data or even create new accounts. (Sounds like something a Wall Master would do.) The vulnerability is present in most versions of Microsoft Word 2003, 2007, 2010 and even SharePoint Server 2010 SP1 and is caused by how Word handles memory when parsing certain files. This one can be a little tricky because Microsoft Word is set as the default mail reader in Outlook 2007 and 2010, which means that an attacker could leverage email as the attack vector to get you to open the specially crafted RTF file. This vulnerability has been hidden away in a dungeon (probably the Manji Dungeon) and has not yet been seen in the wild.

 

MS12-065 (KB 27546070)

IMPORTANT

Remote Code Execution in Microsoft Works

CVE-2012-2550

The last time I used Microsoft Works was version 2.0 on myMac SE so I was surprised to learn that the current version is 9.0 and is still a supported and even a shipping product. Works 9.0 is still available at retail but is mostly used by OEMs to include with systems. If you are using Works 9.0you will want to pay attention to this one especially if you try to open Microsoft Word files with your version of Works. When Works attempts to convert a Word file it can potentially cause system memory corruption that could allow an attacker to execute arbitrary code. If you are using an older version of Microsoft Works you should really think about upgrading. Microsoft doesn't mention if the vulnerability exists in older versions or not since they are no longer supported, so to be safe you will want to upgrade.

 

MS12-066 (KB 2741517)

IMPORTANT

Elevation of Privilege in HTML Sanitation

CVE-2012-2520

8739_379cd92c-4db4-4d14-834e-09cf7a3211e6

"But wait! All was not lost. A young lad appeared. He skillfully drove off Ganon's henchmen and saved Impa from a fate worse than death. His name was Link."

10002_76795bba-4498-4597-b6e1-096ace4e942a

OK, this one affects more than just Lync but also InfoPath, Communicator, SharePoint, Groove and Office Web Apps. However as soon as I read Lync I immediately thought of our intrepid hero and his quest to save the lovely princess Zelda. But instead of being hunted by the evil forces of Ganon this Lync is hunted by poorly sanitized HTML strings. The bad strings could allow cross-site scripting attacks that could run scripts in the context of the logged-on user. If you try to get the full Lync update through Automatic Update you won't find it. The update for Lync 2010 Attendee (user level install) has to be handled through a Lync session so the update is only available in the Microsoft Download Center. This one has escaped the dungeon and has been seen on a limited basis in the wild. (Just hiding under the sand like a Peahat waiting to get you.)

 

MS12-067 (KB 2742321)

IMPORTANT

Remote Code Execution in SharePoint FAST Search Server 2010

CVE-2012-1766

8779_3989572b-0d48-408e-88bc-5d712fad924b

You only need to worry about this patch if you have the Advanced Filter Pack enabled on your FAST Search Server 2010 for SharePoint, it's disabled by default. Exploitation of this vulnerability could allow an attacker to run arbitrary code in the context of a user account with a restricted token (Orange Rupee?). The flaw is actually in the Oracle Outside-In libraries licensed from by Microsoft. This is at least the second recent vulnerability we have seen in these libraries. While this one has not yet been seen in the wild Microsoft thinks that code to exploit this vulnerability is likely to exist within the next thirty days.

 

MS12-068 (KB 2724197)

IMPORTANT

Elevation of Privilege in Windows Kernel

CVE-2012-2529

11261_b0b3e793-9105-45aa-86a2-357cde487cd7

I hate reading "all supported releases of Microsoft Windows", it sends shivers up my spine like a Stalfos. However, this statement was closely followed by "except Windows 8 and Windows Server 2012", which isn't much consolation, but I'll take it. This is a classic elevation of privilege requiring an attacker to already have access to a system either through legitimate credentials or some other vulnerability. Once inside an attacker could use this vulnerability to gain administrator level access.

 

MS12-069 (KB 2743555)

IMPORTANT

Denial of Service in Kerberos

CVE-2012-2551

9557_5fec4825-3081-4cbb-b52f-81e8de90ba6b

Unlike MS12-068 that affects just about everything MS12-069 is only found in Windows 7 and Server2008 R2. A specially crafted session request to the Kerberos server could result in a denial of service. If you have a properly configured firewall in place it will help protect your network from external attacks, sort of like Link's shield protects against Tektites. Of course that won't do much good if the attacker is already inside your network.

 

MS12-070 (KB 2754849)

IMPORTANT

Elevation of Privilege in SQL Server

CVE-2012-2552

If you are running the SQL Server Reporting Service then you have a problem validating input parameters which if exploited could cause an elevation of privilege. The XSS filter in Internet Explorer 8, 9, and 10 can protect users against this attack if it is enable in the Intranet Zone, which is not the default. You can enable it by going to Internet Options -> Security Settings -> Intranet Zone -> Custom Level -> Enable XSS Filter or just apply the patch offered through Automatic Updates. If you decide to do neither and a user clicks on a specially crafted link in email or browses to a specially crafted web page, well, game over.

 

"CanLink really destroy Ganon and save princess Zelda?

"Only your skill can answer that question. Good luck. Use the Triforce wisely."

9376_56730b59-5607-411a-92f1-e538900841d8

 

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo