Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, December 2012 – 99 Bottles of Beer on the Wall

The head of Trustwave SpiderLabs Nicholas Percoco has had an unusual goal this year of drinking a different beer every day for the entire year. Considering his travel schedule and the number of times he has been stranded in airports around the world coming up with a new beer every single day has been quite the accomplishment. He has been checking them in on Untappd and the list is pretty impressive. From fairly regular beers such as Miller Light (Mar 17) to the fairly esoteric Trappistes Rochefort 10 (Oct14) the varieties of beers he has drunk almost rivals the varieties of vulnerabilities we have seen in Microsoft's products this year. 8932_420658a8-0053-460e-9bba-ee573e00f52d8120_18de3728-803a-4b3b-a311-7cb1831f67f0


This last Patch Tuesday of the year makes it a total of eighty-three different bulletins for 2012. That only comes out to about one bulletin for every four days or so, which isn't the same as a beer per day but at least there were seventeen fewer bulletins this year than there were in 2011.However, while some beers have higher alcohol content than others some bulletins are more severe than others. This year, even though there are fewer overall bulletins, more of those bulletins were rated as critical. There were thirty-five critical bulletins this year versus thirty-four critical bulletins last year. So while the overall number of vulnerabilities seems to be decreasing the percentage of those that are really bad seems to be increasing.

So grab a bottle of your favorite beer, perhaps a bottle of Cipher (Feb 17) from Half Acre Brewing, and lets go through the bulletins for December, the last Patch Tuesday of the year 2012.


MS12-077 (KB2761465)


Remote Code Execution in Internet Explorer

CVE-2012-4781 CVE-2012-4782 CVE-2012-4787

We love IE bugs, so common, been around forever and yet still so delicious at the same time, almost just like a Guinness Draught (Feb21). This patch is rated critical for Internet Explorer 9 and 10 on desktops but only rated moderate for IE 9 and 10 on server platforms. As usual all it takes is specially crafted web page, in all three cases one that accesses objects in memory after they have been deleted, or a 'use after free' vulnerability. This might result in memory corruption, which could be used to run arbitrary code as the current user.


MS12-078 (KB2783534)


Remote Code Execution in Kernel-Mode Drivers

CVE-2012-2556 CVE-2012-4786

You never think that a standard IPA is going to kick your ass just like you don't think of fonts as a security risk. Then there is 120 Minute IPA (Jan 31) from Dogfish Head Craft Brewery with its 18% ABV and it hits you just like a TrueType or Open Type Font Parsing Vulnerability. With a specially crafted web page or word document that embeds a malicious font file an attacker could execute arbitrary code. Once you have the ability to run arbitrary code its pretty much game over, an attacker can install programs, delete data, or create new accounts. All that from a bad font file or a 120 Minute IPA.


MS12-079 (KB2780642)


Remote Code Execution in Microsoft Word


While Microsoft has not yet seen this one being exploited in the wild they do expect exploited code to show soon. This one has to do with how MS Word parses RTF files and again, could result in remote code execution. The problem is present in Word 2003, 2007, 2010 and even MS Word Viewer. Users of Outlook 2007 and Outlook 2010 should also take note as MS Word is set as the default email reader for those email clients. Considering the rise in recent spear phishing attacks you should not get to comfortable while drinking your Hipster Ale (Nov 10) and instead should apply this patch.


MS12-080 (KB2784126)


Remote Code Execution in MS Exchange Server

CVE-2012-3214 CVE-2012-3217 CVE-2012-4791

Ubiquitous (Nov 23) from Pipe works Brewing could be used to describe Microsoft Exchange Server as it is one of the most common email servers on the Internet. It is everywhere. We mentioned last week that you might want to go ahead and schedule a reboot time for your Exchange server so you can apply this update right away. The problem here isn't actually in Exchange but in the Outside-In Libraries provided by Oracle, which is an area that seems to be getting a lot of attention in the last few months. Oracle patched these vulnerabilities in their Critical Patch Update in October. CVE-2012-3214 and CVE-2012-3217 are the two vulnerabilities in the Oracle Libraries but there is third CVE fixed in this update CVE-2012-4791 which can result in a DoS if Exchange Server improperly handles an RSS feed. The DoS could cause the Exchange Database to unmount and lead to corruption of databases affecting user mailboxes. Depending on your boss losing their email might be worse than RCE, so install the patch and reboot the mail server as soon as you can, then go grab your beer.


MS12-081 (KB2758857)


Remote Code Execution in Windows File Handling


This vulnerability could allow remote code execution if a user browsed to a folder that contains a file or subfolder with a specially crafted name and it impacts pretty much everything from XP SP3 to Server 2008R2. And of course 'browse to a folder' can be accomplished with an email attachment if the attacker can get the receiver to open it. If you are still running older version of the OS Microsoft thinks this vulnerability will be pretty easy to exploit. Even easier than finding a Christmas Ale (Nov 21) at Christmas time.


MS12-082 (KB2770660)


Remote Code Execution in DirectPlay


DirectPlay is an old API that was part of the DirectX API used as a network communication library intended for game development but usually used for other stuff. This component is present in all versions of DirectX from 9.0 in XP through 11.1 in Windows 8 and Server 2012. If an attacker can successfully convince a user to view a specially crafted Office document with embedded content they could gain the same user rights as the current user and execute arbitrary code. Exploit code this looks rather unlikely, which is probably why this is rated as only Important and not Critical. Just because it isn't Critical doesn't man that it doesn't count, just like Bulmers Irish Cider (Oct 23) still counts as beer.


MS12-083 (KB2765809)


Security Feature Bypass in IP-HTTPS


No one really knows what the three hundred and sixty sixth beer (It's a Leap year!) that Nicholas will have this year will be. Perhaps he doesn't even know. I have to wonder how you even find that many different beers? But when you brew your own beer, like Getcha Through it Holiday Ale (Nov 19) I suppose you are not limited buy commercial availability. One thing we do know is that the last bulletin released by Microsoft for 2012 will be a problem with revoked certificates. If an attacker presents a revoked certificate to an IP-HTTPS server commonly used in Microsoft Direct Access deployments they could bypass security features. To exploit the vulnerability, an attacker must use a certificate issued from the domain for IP-HTTPS server authentication. One way of mitigating this flaw is to disable the domain computer accounts associated with revoked client certificates.


And that's it for all the Microsoft security bulletins for two thousand twelve. We will all raise our beer in hopes that there are even fewer of them next year. In a few days we will also find out which beer Nicholas decides will be his last one for the year and if he will decide to do it again next year!


Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More