VERT Alert - December 11, 2012

December 11, 2012 4:30 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, nCircle's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 7 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-489 on Wednesday, December 12th.


InjectHTMLStream Use After Free Vulnerability CVE-2012-4781
CMarkup Use After Free Vulnerability CVE-2012-4782
Improper Ref Counting Use After Free Vulnerability CVE-2012-4787
OpenType Font Parsing Vulnerability CVE-2012-2556
TrueType Font Parsing Vulnerability CVE-2012-4786
Word RTF 'listoverridecount' Remote Code Execution Vulnerability CVE-2012-2539
Oracle Outside In Contains Multiple Exploitable Vulnerabilities CVE-2012-3214
RSS Feed May Cause Exchange DoS Vulnerability CVE-2012-4791
Windows Filename Parsing Vulnerability CVE-2012-4774
DirectPlay Heap Overflow Vulnerability CVE-2012-1537
Revoked Certificate Bypass Vulnerability CVE-2012-2549


The first bulletin this month is also the one you should patch first. As usual, Internet Explorer starts off the list, this time with three privately reported vulnerabilities. It's interesting to note this month that while all versions of IE have patches available, only IE9 and IE10 are vulnerable to the patched vulnerabilities. The older platforms are receiving a defense in depth update only.


This month's second bulletin feels like it should be two different bulletins. Two different patches are available because both OpenType and TrueType Font Parsing contain vulnerabilities. It is important to keep this in mind when applying updates; you'll need to apply multiple patches to your host.


The third bulletin this month resolves a single vulnerability in Microsoft Word's RTF parser. It's important to know that Word is used to power the Outlook preview pane and RTF emails are fairly common, so you may be exploited, simply by viewing an email in the preview pane.


This bulletin contains three CVEs; one directly affects Microsoft Exchange while the other two describe vulnerabilities found in Oracle's Outside In product, which is used in the Exchange WebReady Document Viewing feature.


MS12-081 describes a single vulnerability affecting file browsing on Windows systems. When browsing to a folder containing a file with a malicious, Unicode name, code execution could occur. The likely avenue of attack would be browsing a SMB or WebDAV share.


The second to last bulletin this month resolves a single vulnerability affect Microsoft DirectPlay. This heap overflow vulnerability can be exploited by opening an office document that has malicious DirectPlay content embedded within it.


The final bulletin this month resolves a security bypass in the IP-HTTPS tunnel of Microsoft DirectAccess. The bypass occurs when a formerly valid certificate issued by the domain that has since been revoked. Microsoft has released a detailed blog post explaining this issue on the Security Research & Defense blog.

Additional Information

In addition to the standard Microsoft updates, Adobe has released an update to Flash, which has, in turn, lead to the release of an update to IE10, in addition to the update listed above.


As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.


Ease of Use (published exploits) to Risk Table:


Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged


All data and commentary is based on information available when the VERT Alert is published.