Microsoft's July Security Update Arrives With Unexpected IE Fix
Microsoft released its monthly security rollout today, which includes three fixes rated "critical" and six designated "important."
The standout this month is the release of bulletin MS12-044, a cumulative Internet Explorer security update that addresses two privately reported remote code execution (RCE) flaws. What makes this bulletin noteworthy is that Microsoft usually releases a cumulative fix for Internet Explorer every other month. However, after last month's IE fix, this will mark the second month in a row that Microsoft's security update will have an IE fix.
Wolfgang Kandek, CTO of Qualys Inc., said that the back-to-back release of IE fixes represents an increase in efficiency by Microsoft.
"What makes MS12-044 more interesting is that it's the product of an accelerated update cycle that Microsoft has been working on," said Kandek, in an e-mailed response. "In the past, Internet Explorer was updated only every two months -- that was how long it took to get through all the compatibility testing required for a stable release. Now, Microsoft has streamlined this process to reduce the time needed by 50 percent."
Microsoft has designated this bulletin at the highest threat level, recommending that it should be applied as soon as possible on all supported versions of Windows.
Another bulletin that should also be high on the priority list is bulletin MS12-043, which fixes a publicly disclosed hole in the Microsoft XML Core Service that could lead to an RCE attack if a user visits a specially crafted malicious Web site using Internet Explorer. This bulletin affects multiple Microsoft products, including Windows 7, XP, Vista, Office 2007 and Windows Server 2008.
It is worth noting that Microsoft provided a temporary workaround last month for this flaw due to it being exploited in the wild.
The final critical item of the month (bulletin MS12-045) is another RCE fix for Windows. This time the flaw is located in the Microsoft Data Access Components, which handle objects in memory. The exploit depends on gaining user rights from visitors to a harmful Web site.
This bulletin has been designated critical due to the ease in which an attacker can leverage the flaw against a user. In addition, the exploit code is expected to spread.
"MS12-045 could also have reliable exploit code available within 30 days," said Marcus Carey, security researcher at Rapid7, in an e-mail. "Exploits targeting these vulnerabilities will likely be added to mass malware kits such as the Blackhole Exploit Kit once reliable exploit code is available."
The remaining six items for this month address issues that aren't as high of a risk as the above bulletins. They include:
- MS12-046: Addresses a publicly disclosed vulnerability in Microsoft Visual Basic for Applications that could lead to an RCE attack if a specially crafted Office document is opened by a user.
- MS12-047: This patches an elevation-of-privilege hole in the Windows kernel-mode driver, which handles keyboard layout files and validates callback parameters.
- MS12-048: This bulletin takes care of a privately reported RCE flaw in the Windows shell.
- MS12-049: Addresses a transport layer security(TLS) flaw that "could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system," according to Microsoft.
- MS12-050: This fixes six vulnerabilities in Microsoft SharePoint and Windows SharePoint Services that could lead to an elevation of privilege attack if gone unpatched.
- MS12-051: Resolves a hole in Microsoft Office for Mac that could allow elevation of privilege if a harmful file is preloaded on a targeted system.
New Security Advisories
Along with this month's security patch rollout, Microsoft also released two security advisories.
The first, security advisory 2719662, allows system advisors to disable the Windows Sidebar and Gadgets on Windows Vista and 7 (features that won't be available in Windows 8).
According to Yunsun Wee of the Microsoft Trustworthy Computing group, Microsoft is speeding up the deprecation of the Sidebar and Gadgets features in Windows because of potential security issues.
"Meanwhile, we've discovered that some Vista and Win7 gadgets don't adhere to secure coding practices and should be regarded as causing risk to the systems on which they're run," wrote Wee, in a blog post. "With time running out for the Sidebar and Gadgets and with developers already moving on, we've chosen to deprecate the Windows Gadget Gallery effective immediately, and to provide a Fix it to help sysadmins disable Gadgets and the Sidebar across their enterprises."
The second item (Security Advisory 2728973) was released to directly address the unauthorized digital certificate issue that arose last month after hackers spoofed fake certificates to spread the Flame malware.
This advisory announces that beginning in August, any certificate that has RSA keys that have a length less than 1024 bits will be automatically seen as invalid, even if they were previously signed by a trusted certificate authority. Microsoft also indicated that it had cleaned up some of its certificates that weren't up to its standards.