Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Patch Tuesday, December 2012 – 99 Bottles of Beer on the Wall

The head of Trustwave SpiderLabs Nicholas Percoco has had anunusual goal this year of drinking a different beer every day for the entireyear. Considering his travel schedule and the number of times he has beenstranded in airports around the world coming up with a new beer every singleday has been quite the accomplishment. He has been checking them in on Untappd and the list is pretty impressive. From fairly regular beers suchas Miller Light (Mar 17) to the fairly esoteric Trappistes Rochefort 10 (Oct14) the varieties of beers he has drunk almost rivals the varieties ofvulnerabilities we have seen in Microsoft's products this year. Beer-millerLiteBeer-brasseriedeRochefortTrappistesRochefort10

This last Patch Tuesday of the year makes it a total of eighty-threedifferent bulletins for 2012. That only comes out to about one bulletin forevery four days or so, which isn't the same as a beer per day but at leastthere were seventeen fewer bulletins this year than there were in 2011.However, while some beers have higher alcohol content than others somebulletins are more severe than others. This year, even though there are feweroverall bulletins, more of those bulletins were rated as critical. There were thirty-fivecritical bulletins this year versus thirty-four critical bulletins last year.So while the overall number of vulnerabilities seems to be decreasing thepercentage of those that are really bad seems to be increasing.

So grab a bottle of your favorite beer, perhaps a bottle ofCipher (Feb 17) from Half Acre Brewing, and lets go through the bulletins forDecember, the last Patch Tuesday of the year 2012.


MS12-077 (KB2761465)


Remote Code Executionin Internet Explorer

CVE-2012-4781 CVE-2012-4782 CVE-2012-4787

We love IE bugs, so common, been around forever and yetstill so delicious at the same time, almost just like a Guinness Draught (Feb21). This patch is rated critical for Internet Explorer 9 and 10 on desktopsbut only rated moderate for IE 9 and 10 on server platforms. As usual all ittakes is specially crafted web page, in all three cases one that accesses objects in memoryafter they have been deleted, or a 'use after free' vulnerability. This mightresult in memory corruption, which could be used to run arbitrary code as thecurrent user.


MS12-078 (KB2783534)


Remote Code Executionin Kernel-Mode Drivers

CVE-2012-2556 CVE-2012-4786

You never think that a standard IPA is going to kick yourass just like you don't think of fonts as a security risk. Then there is 120 Minute IPA (Jan 31) fromDogfish Head Craft Brewery with its 18% ABV and it hits you just like a TrueType or Open Type Font Parsing Vulnerability. With a specially crafted web pageor word document that embeds a malicious font file an attacker could executearbitrary code. Once you have theability to run arbitrary code its pretty much game over, an attacker caninstall programs, delete data, or create new accounts. All that from a bad font file or a 120 MinuteIPA.


MS12-079 (KB2780642)


Remote Code Executionin Microsoft Word


While Microsoft has not yet seen this one being exploited inthe wild they do expect exploited code to show soon. This one has to do withhow MS Word parses RTF files and again, could result in remote code execution.The problem is present in Word 2003, 2007, 2010 and even MS Word Viewer. Users of Outlook 2007 and Outlook 2010 shouldalso take note as MS Word is set as the default email reader for those emailclients. Considering the rise in recent spear phishing attacks you should notget to comfortable while drinking your Hipster Ale (Nov 10) and instead shouldapply this patch.


MS12-080 (KB2784126)


Remote Code Executionin MS Exchange Server

CVE-2012-3214 CVE-2012-3217 CVE-2012-4791

Ubiquitous (Nov 23) from Pipeworks Brewing could be used todescribe Microsoft Exchange Server as it is one of the most common emailservers on the Internet. It is everywhere. We mentioned last week that youmight want to go ahead and schedule a reboot time for your Exchange server soyou can apply this update right away. The problem here isn't actually inExchange but in the Outside-In Libraries provided by Oracle, which is an areathat seems to be getting a lot of attention in the last few months. Oraclepatched these vulnerabilities in their Critical Patch Update in October. CVE-2012-3214 and CVE-2012-3217 are the twovulnerabilities in the Oracle Libraries but there is third CVE fixed in thisupdate CVE-2012-4791 which can result in a DoS if Exchange Server improperlyhandles an RSS feed. The DoS could cause the Exchange Database to unmount andlead to corruption of databases affecting user mailboxes. Depending on yourboss losing their email might be worse than RCE, so install the patch andreboot the mail server as soon as you can, then go grab your beer.


MS12-081 (KB2758857)


Remote Code Executionin Windows File Handling


This vulnerability could allow remote code execution if auser browsed to a folder that contains a file or subfolder with a speciallycrafted name and it impacts pretty much everything from XP SP3 to Server 2008R2. And of course 'browse to a folder' can be accomplished with an emailattachment if the attacker can get the receiver to open it. If you are stillrunning older version of the OS Microsoft thinks this vulnerability will bepretty easy to exploit. Even easier than finding a Christmas Ale (Nov 21) atChristmas time.


MS12-082 (KB2770660)


Remote Code Executionin DirectPlay


DirectPlay isan old API that was part of the DirectX API used as a network communicationlibrary intended for game development but usually used for other stuff. Thiscomponent is present in all versions of DirectX from 9.0 in XP through 11.1 inWindows 8 and Server 2012. If an attacker can successfully convince a user toview a specially crafted Office document with embedded content they could gainthe same user rights as the current user and execute arbitrary code. Exploitcode this looks rather unlikely, which is probably why this is rated as onlyImportant and not Critical. Just becauseit isn't Critical doesn't man that it doesn't count, just like Bulmers IrishCider (Oct 23) still counts as beer.


MS12-083 (KB2765809)


Security FeatureBypass in IP-HTTPS


No one really knows what the three hundred and sixty sixthbeer (It's a Leap year!) that Nicholaswill have this year will be. Perhaps he doesn't even know. I have to wonder howyou even find that many different beers? But when you brew your own beer, like GetchaThrough it Holiday Ale (Nov 19) I suppose you are not limited buy commercialavailability. One thing we do know isthat the last bulletin released by Microsoft for 2012 will be a problem withrevoked certificates. If an attacker presents a revoked certificate to anIP-HTTPS server commonly used in Microsoft DirectAccess deployments they couldbypass security features. To exploit the vulnerability, an attacker must use acertificate issued from the domain for IP-HTTPS server authentication. One wayof mitigating this flaw is to disable the domain computer accounts associatedwith revoked client certificates.


And that's it for all the Microsoft security bulletins fortwo thousand twelve. We will all raise our beer in hopes that there are evenfewer of them next year. In a few days we will also find out which beerNicholas decides will be his last one for the year and if he will decide to doit again next year!

Related SpiderLabs Blogs