VERT Alert - November 12, 2012

November 12, 2012 2:30 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 6 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-485 on Wednesday, November 14th.

CFormElement Use After Free Vulnerability CVE-2012-1538
CTreePos Use After Free Vulnerability CVE-2012-1539
CTreeNode Use After Free Vulnerability CVE-2012-4775
Windows Briefcase Integer Underflow Vulnerability CVE-2012-1527
Windows Briefcase Integer Overflow Vulnerability CVE-2012-1528
Password Disclosure Vulnerability CVE-2012-2531
FTP Command Injection Vulnerability CVE-2012-2532
Reflection Bypass Vulnerability CVE-2012-1895
Code Access Security Info Disclosure Vulnerability CVE-2012-1986
.NET Framework Insecure Library Loading Vulnerability CVE-2012-1529
Web Proxy Auto-Discovery Vulnerability CVE-2012-4776
WPF Reflection Optimization Vulnerability CVE-2012-4777
Win32k Use After Free Vulnerability CVE-2012-2530
Win32k Use After Free Vulnerability CVE-2012-2553
TrueType Font Parsing Vulnerability CVE-2012-2897
Excel SerAuxErrBar Heap Overflow Vulnerability CVE-2012-1885
Excel Memory Corruption Vulnerability CVE-2012-1886
Excel SST Invalid Length Use After Free Vulnerability CVE-2012-1887
Excel Stack Overflow Vulnerability CVE-2012-2543


The first bulletin of November brings us the expected Internet Explorer patch. Many IE users will get a reprieve this month, as the bulletin only applies to Internet Explorer 9. All three CVEs patched in this bulletin could lead to code execution when visiting malicious websites.


The second bulletin this month brings us a bit of a blast from the past. Titled as a generic 'Windows Shell' vulnerability, this bulletin contains two vulnerabilities affecting Windows Briefcase. This archaic mobile sync technology, first introduced in Windows 95, still exists in every major release of Windows up to, and including, Windows 8. You would have to access a briefcase folder via WebDav or SMB in order for an attacker to successfully exploit this vulnerability on your system. Given the numbering of bulletins this month, this ancient technology is also responsible for the first official bulletin with Windows 8 and Server 2012 listed as affected products.


MS12-073 is the only bulletin this month that isn't limited to software installed locally. In this case we're looking at the IIS FTP service. One of the two vulnerabilities results from a non-default configuration that can lead to service password changes being logged, while the other one could allow commands to be sent to an FTP server prior to the FTP TLS tunnel being established.


This month's .NET bulletin introduces a series of important vulnerabilities and a single critical vulnerability. It's also the first bulletin to patch .NET 4.5. The critical vulnerability references WPAD, however it should be noted that WPAD as a service is not affected, the issue is related to the .NET parsing of WPAD files and requires that an attacker exist on your local intranet, while you run a .NET application.


Win32k.sys patches are nearly as common as Internet Explorer patches these days, so there should be no surprise to see it patched again this month. Three CVEs are referenced, one of which could potentially lead to drive-by code execution. This may be the least interesting bulletin of the month.


The final bulletin of the month addresses four vulnerabilities affecting Microsoft Excel. Office vulnerabilities are another common part of the Microsoft update process and these vulnerabilities are fairly typical, so there shouldn't be any surprises for security teams with this one.


As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.


Ease of Use (published exploits) to Risk Table:


Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged


All data and commentary is based on information available when the VERT Alert is published.