VERT Alert - June 12, 2012

June 12, 2012 5:10 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire 's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 7 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-462 on Wednesday, June 13th.

Remote Desktop Protocol Vulnerability CVE-2012-0173
Center Element Remote Code Execution Vulnerability CVE-2012-1253
HTML Sanitization Vulnerability CVE-2012-1858
EUC-JP Character Encoding Vulnerability CVE-2012-1872
Null Byte Information Disclosure Vulnerability CVE-2012-1873
Developer Toolbar Remote Code Execution Vulnerability CVE-2012-1874
Same ID Property Remote Code Execution Vulnerability CVE-2012-1875
Col Element Remote Code Execution Vulnerability CVE-2012-1876
Title Element Change Remote Code Execution Vulnerability CVE-2012-1877
onBeforeDeactivate Event Remote Code Execution Vulnerability CVE-2012-1878
insertAdjacentText Remote Code Execution Vulnerability CVE-2012-1879
insertRow Remote Code Execution Vulnerability CVE-2012-1880
OnRowsInserted Event Remote Code Execution Vulnerability CVE-2012-1881
Scrolling Events Information Disclosure Vulnerability CVE-2012-1882
.NET Framework Memory Access Vulnerability CVE-2012-1855
TrueType Font Parsing Vulnerability CVE-2012-3402
TrueType Fond Parsing Vulnerability CVE-2012-0159
Lync Insecure Library Loading Vulnerability CVE-2012-1849
HTML Sanitization Vulnerability CVE-2012-1858
Dynamics AX Enterprise Portal XSS Vulnerability CVE-2012-1857
String Atom Class Name Handling Vulnerability CVE-2012-1864
String Atom Class Name Handling Vulnerability CVE-2012-1865
Clipboard Format Atom Name Handling Vulnerability CVE-2012-1866
Font Resource Refcount Integer Overflow Vulnerability CVE-2012-1867
Win32K.sys Race Condition Vulnerability CVE-2012-1868
User Mode Scheduler Memory Corruption Vulnerability CVE-2012-0217
BIOS ROM Corruption Vulnerability CVE-2012-1515


The first bulletin this month is a replacement for a widely discussed bulletin released only a couple of months ago, MS12-020. This bulletin resolves an issue affecting Microsoft Remote Desktop that could lead to remote code execution. Depending on your infrastructure and software usage, you may want to put this at the top of your list. If you cannot immediately install the patch, turning on Network Level Authentication (NLA) can mitigate this issue.


The second bulletin of the month fixes the other truly critical issue. Actually, it fixes 13 issues, all vulnerabilities affecting Internet Explorer, including one from pwn2own and another that has been used in limited targeted attacks. This is the other patch this month that should be at the top of your priority list.


A single vulnerability affecting .NET is fixed in MS12-038. There's not much else to add, except that these fixes are becoming more and more common. XAML Browser Applications (XBAPs) provide a means of exploiting this vulnerability via the browser, however changes to recent versions of Internet Explorer have disabled most of this functionality, limited the attack vectors available for this vulnerability.


MS12-039 is one of two "firsts" this month. It is the first time we've seen Microsoft Lync mentioned in a security bulletin. In total four vulnerabilities are patched by this update, one of which is a DLL Preloading attack, similar to the numerous other ones we've seen released over the past year.


The second "first" of the month is MS12-040, featuring the first appearance of Microsoft Dynamics AX 2012 in a bulletin. This bulletin patches a single XSS vulnerability affecting the Dynamics AX 2012 Portal.


The second to last bulletin of the month resolves five local vulnerabilities that could lead to elevation of privilege. These are also becoming commonplace and most people should have expected to see these this month.


The final bulletin of the month resolves two additional elevation of privilege vulnerabilities. The most interesting aspect of this bulletin is the affected software list. While Windows XP and Server 2003 are affected, as are Windows 7 and Server 2008 R2, Windows Vista and Server 2008 are not affected. The breakdown clarifies that CVE-2012-0217 targets the newer operating systems, while CVE-2012-1515 affects Windows XP and Server 2003.

As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table:

Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged


All data and commentary is based on information available when the VERT Alert is published.