VERT Alert - October 9, 2012

October 9, 2012 2:30 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire 's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 7 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-480 on Wednesday, October 10th.

Word PAPX Section Corruption Vulnerability CVE-2012-0182
RTF File listid Use-After-Free Vulnerability CVE-2012-2528
Works Heap Vulnerability CVE-2012-2550
HTML Sanitization Vulnerability CVE-2012-2520
Oracle Outside In contains multiple exploitable vulnerabilities MULTIPLE CVEs
Windows Kernel Integer Overflow Vulnerability CVE-2012-2529
Kerberos NULL Dereference Vulnerability CVE-2012-2551
Reflected XSS Vulnerability CVE-2012-2552


The first bulletin this month covers two vulnerabilities affecting Microsoft Word. As with most Word vulnerabilities, successful exploitation requires a specially crafted file. One of the vulnerabilities this month requires a Word document, while the other one requires a RTF document.


This is an unexpected and rarely seen bulletin, as it only affects Microsoft Works 9. Most enterprises are unlikely to be running this software but many new computers would have come with this software installed by default, so you may want to check your installed programs if you've never reinstalled your personal computer OS.


While MS12-070 refers to the vulnerability as Cross Site Scripting (XSS) issue, MS12-066 is named "HTML Sanitization Vulnerability", however the outcome is essentially the same. This is another instance of XSS in a slew of Microsoft products. The affect product list includes: InfoPath, SharePoint, Lync, Communicator, Groove Server, and Office Web Apps. Microsoft has noted that while they haven't seen attacks against these apps in the wild, they have seen attacks against their online services.


Another rarity this month, MS12-067 patches issues affecting Oracle Outside In, which is used by Microsoft FAST Search Server 2010 for SharePoint. In total, 13 CVEs are patched, however they are bundled under a single bulletin point on the bulletin page, something we don't see with Microsoft CVEs.


This bulletin was expected, and is always expected, as it's your typical local privilege escalation vulnerability. Affecting everything from Windows XP to Server 2012 R2.


The first denial of service of the month is patched in MS12-069. The remote DoS affecting the Microsoft Kerberos implementation exists only on Windows 7 and Server 2008 R2 and is additionally mitigated that the attacker must be on a domain joined machine sending an authenticated request to the target.


The final bulletin this month describes an XSS vulnerability in Microsoft SQL Server. The most important thing to note here is that this update will only be offered to those running MS SQL Server Reporting Services in their environments.

Other Information

It's also important to keep in mind the Microsoft Security Advisory related to Minimum Certificate Key Lengths, which has been pushed to automatic updates today. This means that all users will download this the next time they update.

Additionally, five bulletins have been re-released. This includes MS12-043 (Windows 8 w/ MS XML 4.0 was added as an affected component) and 4 MS12-05x bulletins (specifically MS12-053, MS12-054, MS12-055, and MS12-058). New patches are available for these updates due to an error in the signing process that has lead to many of the digital signature timestamps expiring prematurely. More can be read about this on the Microsoft Security Research & Defense blog post.

As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table:

Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged


All data and commentary is based on information available when the VERT Alert is published.