Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday August 2012 – Staying Alive In Gale Crater

As you install the nine updates that came out of Microsoft this month, five of which are critical with remote code execution, you should realize that no matter how complicated your network is someone else's is more complicated. But, you say, I have servers on other continents with no one nearby to reboot them if things go poorly. Yeah, well, no one else has a server that's at least 54 Million kilometers away and if it doesn't come back up after a patch install is essentially a two and half billion-dollar brick. The team working on the Mars Rover Curiosity basically gets one shot to update the firmware on the rover, if anything goes wrong you basically have added one more very expensive rock to the surface of Mars. Think about that when you update your servers this month.

You know that feeling you get during those few minutes when you reboot a server after installing a patch and you anxiously wait for it to come back up so you can remote in and check to see if everything is working? There is always that sinking feeling you get jut before the VNC client connects when you think 'Oh no, the patch broke it' and then it just comes up and you breath that sigh of relief? Now imagine your dealing with a fifteen-minute delay and an eight-hour boot time. If it doesn't come back up you can't just walk back to the Server room and see what happened. Yeah, Mars is like that.




MS12-052 / KB2722913


Cumulative Security Update for Internet Explorer

CVE-2012-1526 CVE-2012-2521 CVE-2012-2523 CVE-2012-2522

There are four vulnerabilities in this patch for our old friend and punching bag Internet Explorer. We are looking at the possibility of remote code execution for the worst of them if you once again visit a specially crafted web page. Remember a 'specially crafted web page' is just fancy security talk for just about anything, a compromised site, an advertisement, a phishing site etc. They aren't difficult to build and you can run across them accidently. Just like last month the attack targets objects that IE has held in memory, two of them deal with file corruption in memory, one deals with JavaScript Integer Overflows, and the fourth has to do with asynchronous NULL object access. If you can't or don't want o apply this patch you can limit your risk to this attack by setting your security zone to high to block ActiveX Controls, add trusted sites to the IE Trusted Sites zone, and either have IE prompt for or disable altogether any Active Scripting, but I would seriously consider installing the patch instead.

If you are running IE8 you will also need to install MS12-056/KB2706045 (See below) to protect against CVE-2012-2523

MS12-054 / KB2733594


Remote Code Execution Windows Networking Components

CVE-2012-1850 CVE-2012-1851 CVE-2012-1852 CVE-2012-1853

Like 052 MS12-054 also covers four different vulnerabilities and again we have the possibility of remote code execution. Instead of issues with Internet Explorer these four impact Windows networking components, the most severe of which can be exploited with a specific response to a Windows print spooler request. The other three deal with a heap overflow, a stack overflow and a DoS in the Remote Administration protocol. The print spooler one is arguably the worst as not only can it allow RCE it can be implemented by a remote unauthenticated user. About the only thing you can do to protect yourself, other than installing the patch, is to disable the print spooler, but then you are still vulnerable to the Remote Administration protocol attacks, so umm, install the patch.

MS12-060 / KB2720573


Remote Code Execution Windows Common Controls


MS12-060 has already been disclosed publicly and Microsoft is aware of limited targeted attacks but they haven't yet seen any proof of concept code. Considering this exploit results in Remote Code Execution we can probably expect PoC real soon now. This one does requires a bit of social engineering to exploit, as it requires a user to click a link, either on a web page, in an email, or in a message in Instant Messenger or to open an attachment. The issue is found in an ActiveX control in the MSCOMCTL.OCX file, specifically the TabStrip control which is a shared compented across multple MS Office products. There two different versions of the patch depending on which version of SQL Server you have installed, if you have automatic updates turned on it is smart enough to get the correct one. If you don't have automatic updates check the MS knowledge base to determine your SQL Server version and which patch applies to you. There are some things you can do to mitigate this attack other than installing this patch but they involve editing the registry among other things, a lot easier to just install the patch.

MS12-053 / KB2723135


Remote Code Execution in Remote Desktop


We all remember MS12-020 and MS12-037 right? Well we have another one, MS12-053 also allows for the potential of Remote Code Execution in Remote Desktop. In this case a series of specially crafted RDP packets could result in RCE. If you don't need remote desktop on your server disable it, which makes a lot of sense on paper but if your server is remote, say a few million miles away on say another planet that's probably not all that feasible so at the very least if you can not install the patch at least block port 3389 at the firewall which should help against remote attacks, then you just need to worry about the internal ones. With there now being three possible vectors for attack it is only a matter of time before will need to be updated with a big fat YES.

MS12-058 / KB2740358


Remote Code Execution in MS Exchange Server WebReady Document Viewing

CVE-2012-1767 CVE-2012-1773

I can hear system admins across the vastness of interplanetary space groan over this one. A publicly disclosed vulnerability with the potential for RCE, in Microsoft Exchange Server that requires a reboot? Altogether now, <groan>. While patching may be an inconvenience the vulnerability itself is pretty neat, it involves how the Outlook Web App (OWA) parses attachments for viewing via WebReady Document Viewing. OWA uses the Oracle Outside In libraries and this patch updates those libraries with a non-vulnerable version. If the Oracle Outside In libraries really interests you check out MS Security Advisory 273111 and CVE-2012-2525 which where addressed in an earlier patch but are related to this one. So now you're wondering if the problem is in an Oracle product why is Microsoft issuing the patch? Well, these are custom libraries that MS licenses from Oracle and Microsoft wants to protect all its Exchange customers so they issued the patch. Remember this one was released publicly but it hasn't been seen in the wild, yet.

MS12-055 / KB2731847


Elevation of Privilege in Windows Kernel-Mode Drivers


Almost as popular as Internet Explorer is our old friend win32k.sys, which is used for just about everything from managing input devices such as your keyboard, your screen output, passing user messages to applications, and a bunch of other things. In this case if a user with a valid account runs a specially crafted application they can gain admin privileges and then of course control everything on the machine.

MS12-056 / KB2706045


Remote Code Execution in JScript and VBScript Engines


Yet another remote Code Execution but only for 64-bit versions of Windows. If a user visits a specially crafted webpage an attacker could take advantage of a flaw in the JScript and or VBScript engines. Be sure to check out MS12-052/2722913, also in this update, KB2706045 is for IE8 users and KB2722913 is for IE9 users, if you are running IE10 you're golden. Of course if you have automatic updates turned on just let the system figure out which update you need.

MS12-057 / KB2731879


Remote Code Execution in Microsoft Office


This is another case where having automatic updates turned on will save you a lot of work as there are different update packages for different versions of Microsoft Office. You may even see these updates offered in Automatic Update if you don't have MS Office installed. The affected code is also present in a lot of MS Office Viewer applications and while the viewer apps aren't vulnerable themselves MS offers the update anyway just in case. The issue here is how Office handles Computer Graphics Metafiles or CGM and Word Perfect Graphic or WPG files. If successfully exploited the attacker could run arbitrary code as the current user which of course could lead to all sorts of nastiness such as creating admin accounts and other mayhem.

MS12-059 / KB2733918


Remote Code Execution in Microsoft Visio


I know what you're thinking, this one is for Visio, and you specifically did not install Visio when you installed that Office suite and so you think you won't need to install this patch. Well, you are wrong. If Visio was part of the MS Office Suite that you installed, even if you did not install Visio itself you will still be offered this update and you should probably go ahead and install it anyway. If your system is vulnerable to this exploit then all an attacker has to do is get you to open a specially crafted Visio file, that would most likely be via an email attachment but it could also be on a website that hosts third party content.

Hopefully all your servers safely reboot after you apply your patches as well as Curiosity. There are enough very expensive rocks on Mars already.

Researchers at Trustwave Spiderlabs are actively investigating these bulletins thoroughly, Using the information from Microsoft and other sources to develop protections for our customers against these threats as quickly as we can.


Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More