Patch Tuesday June 2012: RDP broken, again. Stuxnet TTF, again.
This is shaping up to be an interesting Patch Tuesday with critical vulnerabilities being released across a combination of operating system components and client applications. In total there are 7 Microsoft Security Bulletins covering 26 distinct vulnerabilities in this June 2012 Microsoft Patch Tuesday. More than half of these vulnerabilities are rated as being likely to be exploited by Microsoft. On top of all of the vulnerability fixes Microsoft has also added an automatic updater capability for determining if a system has any certificates that are no longer trustworthy. This shows an increasing seriousness at which Microsoft is looking at the variety of certificate related vulnerabilities that have plagued its customers over the last few years.
RDP Broken Again
The bulletin that will probably get the most attention is MS12-036, which covers a vulnerability within Microsoft’s Remote Desktop. This is coming on the heels of a previous RDP vulnerability that made a lot of news this last March, (MS12-020). Now before everyone goes and says the sky is falling, it is important to step back and get perspective on the previous RDP flaw and the fact that there still has not been a public exploit for it beyond sample DoS “exploits.” While any RDP vulnerability rated as “exploit code likely” by Microsoft should be taken very seriously, there is still more of a chance that the average IT environment will continue to be hit by drive-by client application style exploits.
Internet Explorer Drive-by
That brings us to MS12-037 which is a bulletin that covers more than 13 different Internet Explorer vulnerabilities across all versions of Internet Explorer. This is probably one of the most severe bulletins because exploit code is likely to be created for one or more of these vulnerabilities, which leads to the potential for drive-by malware attacks across all versions of Internet Explorer. This, in our opinion, is one of the more important set of patches to roll out as soon as possible.
Stuxnet/Duqu TrueType Font, awesome.
Our favorite bulletin for this June Patch Tuesday is MS12-039, which fixes a variety of vulnerabilities within Microsoft’s Lync client, but most interestingly fixes a vulnerable TrueType Font parsing code reuse flaw. Some of you might remember that one of the zerodays that Stuxnet and Duqu used was a kernel privilege escalation vulnerability that leveraged a flaw in the parsing of TrueType Fonts. This original zeroday was fixed by Microsoft in security bulletin MS11-087. Then last month we saw Microsoft release another bulletin (MS12-034) that covered this same TrueType Font parsing vulnerability, CVE-2011-3402. It turns out that developers at Microsoft had reused the same vulnerable TrueType Font parsing code within multiple different products. In order to find other places where this code might have been reused Microsoft created an internal system called “Cloned Code Detection.” This system is what was able to find those other vulnerable TTF code reuse issues fixed in MS12-034.
Now here we are 7 months after the original Stuxnet/Duqu fix for TrueType Font parsing and this same code reuse bug has reared its ugly head except this time within Microsoft’s Lync. It could be that the “Cloned Code Detection” system has had some tweaks to it that allowed it to find more instances of this code reuse or it could be that Lync in all its goofy chat glory was the forgotten product that simply never had this tool run against it. Either way, for the Microsoft developer who seemingly wrote the vulnerable TrueType Font parsing code and posted it on the Microsoft Cafeteria whiteboard for everyone to copy, they should feel confident that while this TTF parsing code is the gift that keeps on giving, it is still nowhere near the constant gift that DLL Hijacking has been.
All in all, there are some very critical vulnerabilities this month including privilege escalation in MS12-041 and MS12-042, a remote code execution in the .NET Framework (MS12-038) and even a bulletin covering Microsoft’s Dynamics AX ERP solution.
The two most important bulletins are MS12-037 for Internet Explorer and MS12-036 for Remote Desktop. Currently the Internet Explorer vulnerabilities appear to be a more immediately exploitable threat but given the value of Remote Code Execution on RDP there will surely be a lot of folks trying to weaponize that vulnerability. Only time will tell if people are successful with this RDP flaw where they were not with the one in March.
Join Tomorrow’s Vulnerability Expert Forum
Remember to join us tomorrow at 1pm PDT for our monthly Patch Tuesday assessment where we’ll discuss more in depth, the Microsoft bulletins, as well as a recap on the Flame malware. Sign up here.
*Note: If you are ready to answer the VEF question surrounding our Kindle Giveaway, you’ve reached the right spot. Please post your comments below. We will select a Kindle winner within the next few weeks.*Permanent Link