VERT Alert - August 14, 2012

August 14, 2012 4:20 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire 's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-471 on Wednesday, August 15th.

Layout Memory Corruption Vulnerability CVE-2012-1526
Asynchronous NULL Object Access Remote Code Execution Vulnerability CVE-2012-2521
Virtual Function Table Corruption Remote Code Execution Vulnerability CVE-2012-2522
JavaScript Integer Overflow Remote Code Execution Vulnerability CVE-2012-2523
Remote Desktop Protocol Vulnerability CVE-2012-2526
Remote Administration Protocol Denial of Service Vulnerability CVE-2012-1850
Print Spooler Service Format String Vulnerability CVE-2012-1851
Remote Administration Protocol Heap Overflow Vulnerability CVE-2012-1852
Remote Administration Protocol Stack Overflow Vulnerability CVE-2012-1853
Win32K Use After Free Vulnerability CVE-2012-2527
JavaScript Integer Overflow Remote Code Execution Vulnerability CVE-2012-2523
CGM File Format Memory Corruption Vulnerability CVE-2012-2524
Oracle Outside In contains multiple exploitable vulnerabilities See Below
Visio DXF File Format Buffer Overflow Vulnerability CVE-2012-1888
MSCOMCTL.OCX RCE Vulnerability CVE-2012-1856


The month starts off with a cumulative update to Internet Explorer, the third update in as many months. The only interesting aspect of MS12-052 is CVE-2012-2523. This CVE describes a vulnerability in the x64 versions of Internet Explorer 8 and 9, however the patch is MS12-052 only fixes this issue for IE9. To resolve this specific vulnerability on IE8, users must turn to MS12-056.


The second bulletin of the month brings us our third RDP fix of the year. This patch fixes a potentially wormable issue that thankfully only affects Windows XP, which speaks to improvements that Microsoft has made to their development processes.


There are four issues resolved by applying MS12-054. Microsoft has released an excellent blog post describing in detail how MS12-054 works, so rather than explain it, please read this post. The tl;dr of the blog post is that a malicious attacker would need to become the master browser on a subnet and send malicious responses to specific resource requests. Windows XP and Server 2003 are the only platforms at risk for code execution, while later platforms will suffer a Denial of Service.


The single vulnerability resolved by MS12-055 is another one we're accustomed to seeing, a local privilege escalation affecting win32k.sys. This is the 5th patch we've seen this year for win32k.sys.


This bulletin is almost an extension of MS12-052. While it lists itself as a JScript/VBScript 5.8 update, it essentially the IE8 fix for MS12-052. Only x64 versions of Windows operating systems are affected by this vulnerability.


A single CVE is listed in MS12-057, detailing a CGM file format vulnerability affecting Microsoft Office 2007 and 2010. Updates for Office are not uncommon, so this type of fix should be expected at this point.


This bulletin resolves 13 vulnerabilities affecting Oracle Outside In, which is used by Microsoft Exchange Server for the WebReady Document Viewing Feature. A malicious file sent to an Outlook Web Access (OWA) user could trigger the vulnerability and run code on the server. Each CVE in the list is mapped to a different file parser and the following document types are affected: DCR, DOC, DPT, JP2, LWP, ODG, PCX, PDF, SAM, SXD, SXI, VSD, WSD. Microsoft first noted that these vulnerabilities existed in Security Advisory 2737111. They also noted that FAST Search Server 2010 for SharePoint was also affected, however updates for it have not been released yet.
CVEs: CVE-2012-1766, CVE-2012-1767, CVE-2012-1768, CVE-2012-1769, CVE-2012-1770, CVE-2012-1771, CVE-2012-1772, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, CVE-2012-3109, and CVE-2012-3110


There's not much to add about this bulletin, file format vulnerabilities in Visio aren't new. They aren't as common as some of the other vulnerabilities this month but we've seen this before. It is important to note that this issue affects only Visio and Visio Viewer 2010.


The final bulletin this month is the one that should be patched first as Microsoft has identified this bulletin at the top of their risk priority for the month. A number of products are affected including: Office, Commerce Server, Host Integration Server, Visual FoxPro, the VB6 Runtime, and SQL Server. Microsoft has announced that they are seeing limited targeted attacks in the wild and that possible attack vectors include malicious RTF email attachments and drive-by downloads. Microsoft has released a blog post with additional details on this bulletin.


As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.


Ease of Use (published exploits) to Risk Table:

Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged


All data and commentary is based on information available when the VERT Alert is published.