New Microsoft Vulnerability

June 12, 2012

In addition to this month’s regular batch of security bulletins from Microsoft, the company has also issued a new Security Advisory (2719615) concerning a flaw in a Windows software component called XML Core Services, versions 3.0, 4.0, 5.0, and 6.0.   This software component is widely used in Microsoft products; all supported versions of Windows (including Server Core installations), Microsoft Office 2003, and Office 2007 are affected.  The vulnerability would allow an attacker to access the target system with the same privileges as the logged-in user, if the user visited a maliciously crafted Web page. (The most likely scenario for a successful attack would involve the user clicking on a malicious link with Internet Explorer.)  There is some evidence that this vulnerability (which has been assigned CVE-2012-1889) is being actively exploited.

At this point, Microsoft has not issued a Security Bulletin or patch for the vulnerability.  However, it has provided a “FixIt” mitigation that can be applied to block the known attack vector.  More information on the mitigation, and download links, are in the corresponding Knowledge Base article (2719615).

Since this vulnerability is, apparently, being exploited, I recommend that you apply the “FixIt” mitigation as soon as you conveniently can; but you should carefully read the Security Advisory and Knowledge Base article first, especially if you are working on a production system.   These cheap and cheerful quick fixes have been known to have problems,  (Again, this advisory is in addition to the regular monthly patch announcement.)  An additional mitigation step, which I recommend on general principles, is to use a browser other than Internet Explorer — specifically, one that does not support Active X, a Microsoft technology which, in my view, is defective by design.  (Either Firefox or Google Chrome qualifies.)  Avoiding Internet Explorer does not, however, provide complete protection, since the flawed software components are used in other parts of Windows,

I will try to post updates on this vulnerability as more information becomes available


Microsoft Patch Tuesday, June 2012

June 12, 2012

Today is the second Tuesday of June, so, in keeping with its usual schedule, Microsoft has released this month’s batch of security bulletins and patches for Windows and related software.  This month, there are seven bulletins, for 25 identified vulnerabilities.  Five of the bulletins are for Windows and its components; three of these have a maximum severity rating of Critical, and the other two are rated Important.  All  supported versions of Windows are affected.  (For a breakdown of bulletins by severity and Windows version, please see this month’s preview post.)

There is also a bulletin that affects Microsoft Office and Visual Basic for Applications, which is rated Important [See Update below.] The final Important bulletin affects Microsoft Dynamic AX; this is component of Microsoft’s ERP [Enterprise Resource Planning] software, and will not be relevant to most users.

Further details, and download links, are in the Security Bulletin Summary for June  2012.  Microsoft says that two of the patch installations will definitely require a system restart, and the others may require one, depending on the configuration of your system.

The folks at the SANS Internet Storm Center have posted their usual analysis of this month’s patches, along with their severity ratings for client and server systems.  They rate one bulletin, MS12-037 for Internet Explorer and components, as “Patch Now“, because active exploits have been reported.

As always, I recommend that you update your systems as soon as you conveniently can.

Update Tuesday, June 12, 22:45 EDT

I missed this on my initial reading of the Security Bulletin Summary.   One bulletin, MS12-039, was described in the preview announcement last Thursday as applying to Microsoft Office and Visual Basic for Applications.  In the final summary, it is identified as applying to Microsoft Communicator and Lync.; the severity rating is still ImportantMea culpa.


%d bloggers like this: