VERT Alert - July 10, 2012

July 10, 2012 2:40 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire 's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-466 on Wednesday, July 11th.

MSXML Uninitialized Memory Corruption Vulnerability CVE-2012-1889
Cached Object Remote Code Execution Vulnerability CVE-2012-1522
Attribute Remove Remote Code Execution Vulnerability CVE-2012-1524
ADO Cachesize Heap Overflow RCE Vulnerability CVE-2012-1891
Visual Basic for Applications Insecure Library Loading Vulnerability CVE-2012-1854
Keyboard Layout Vulnerability CVE-2012-1890
Win32k Incorrect Type Handling Vulnerability CVE-2012-1893
Command Injection Vulnerability CVE-2012-0175
TLS Protocol Vulnerability CVE-2012-1870
HTML Sanitization Vulnerability CVE-2012-1858
XSS scriptresx.ashx Vulnerability CVE-2012-1859
SharePoint Search Scope Vulnerability CVE-2012-1860
SharePoint Script in Username Vulnerability CVE-2012-1861
SharePoint URL Redirection Vulnerability CVE-2012-1862
SharePoint Reflected List Parameter Vulnerability CVE-2012-1863
Office for Mac Improper Folder Permissions Vulnerability CVE-2012-1894


The first patch this month is for MS XML, and the interesting part is that while all versions are affected (3, 4, 5, and 6), patches are only available for versions 3, 4, and 6. According to the bulletin, version 5 (which ships with Office, Sharepoint Server, and Groove Server) is still undergoing testing and will ship when it is available. In the mean time, there is a Microsoft Fix It available for those that wish to block the attack vector for version 5.


The IE patch this month resolves two vulnerabilities affecting Internet Explorer. The interesting part is that these issues affect only IE9.


The third bulletin this month addresses a single vulnerability affecting MDAC 2.8 and MDAC 6.0. The attack vector for this bulletin is Internet Explorer, effectively making this an additional IE vuln from the attacker's point of view.


DLL Preloading might just be the attack that will never end. MS12-046 resolves an instance of this issue affecting Visual Basic for Applications and Microsoft Office. We'll likely see additional DLL preloading attacks patched in future months.


This bulletin should probably find it's way into the "it happens every month" category with IE and Office. The Windows Kernel-Mode Drivers are affected by the two vulnerabilities in this bulletin, and more specifically Win32k.sys is targeted.


While not a DLL Preloading attack, the vulnerability fixed by MS12-048 is exploited in a very similar way. The user will need to be tricked into executing a file to exploit this vulnerability.


This bulletin is unique. We'll likely see it discussed outside of Microsoft circles since it's a protocol vulnerability and not a Microsoft-specific issue. The issue only exists when Cipher Block Chaining (CBC) mode is used.


The second last bulletin of the month patches SharePoint Server, Groove Server, Infopath and Office Web Apps. A total of six vulnerabilities are resolved including a cross-site scripting vulnerability. CVE-2012-1858 is the only CVE in this bundle that affects every product in the affected software list.


The last bulletin of the month resolves an issue in Office for Mac 2011. There are certain situations where the installer could place lax permissions on folders, allowing others to write malicious files that the user may execute.


As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.


Ease of Use (published exploits) to Risk Table:

Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged

All data and commentary is based on information available when the VERT Alert is published.