Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Patch Tuesday, October 2012 – Legend of Zelda Edition

Hope you enjoyed last months light patch Tuesday with only two bulletins as this month we are right back at it with seven bulletins covering everything from Elevation of Privilege, Denial of Service and RemoteCode Execution. There is only one critical update this month but there is also the enforcement of 1024 bit digital certificates. Probably the most interesting patch this month involves Lync, Microsoft's enterprise messaging system, if only for the reason that every time I read Lync I think Link, as in the hero of Nintendo's Legend of Zelda which I spent way too much time playing back in the eighties.


Much like Link needs to get keys to open doors in Hyrule Microsoft products will often use certificates to allow communication between products. As of today Microsoft products will reject any certificates with RSA keys of less than 1024 bits. Microsoft has made an optional patch available for the last two months to enforce this rule but now it is no longer optional. Even if you are not using 512 bit keys this is an excellent opportunity to update all your keys to 1024 bits or even more.


MS12-064 (KB 2742319)


Remote Code Execution in Microsoft Word



A specially crafted RTF file could allow an attacker to take complete control of a system to install their own programs, delete data or even create new accounts. (Sounds like something a WallMaster would do.) The vulnerability is present in most versions of Microsoft Word 2003, 2007, 2010 and even Sharepoint Server 2010 SP1 and is caused by how Word handles memory when parsing certain files. This one can be a little tricky because Microsoft Word is set as the default mail reader inOutlook 2007 and 2010, which means that an attacker could leverage email as the attack vector to get you to open the specially crafted RTF file. This vulnerability has been hidden away in a dungeon (probably the Manji Dungeon) and has not yet been seen in the wild.


MS12-065 (KB 27546070)


Remote Code Execution in Microsoft Works


The last time I used Microsoft Works was version 2.0 on myMac SE so I was surprised to learn that the current version is 9.0 and is still a supported and even a shipping product. Works 9.0 is still available at retail but is mostly used by OEMs to include with systems. If you are using Works 9.0you will want to pay attention to this one especially if you try to openMicrosoft Word files with your version of Works. When Works attempts to convert a Word file it can potentially cause system memory corruption that could allow an attacker to execute arbitrary code. If you are using an older version of Microsoft Works you should really think about upgrading. Microsoft doesn't mention if the vulnerability exists in older versions or not since they are no longer supported, so to be safe you will want to upgrade.


MS12-066 (KB 2741517)


Elevation of Privilege in HTML Sanitation



"But wait! All was not lost. A young lad appeared. He skilfully drove off Ganon's henchmen and saved Impa from a fate worse than death. His name was Link."


OK, this one affects more than just Lync but also Infopath, Communicator, SharePoint, Groove and Office Web Apps. However as soon as I read Lync I immediately thought of our intrepid hero and his quest to save the lovely princessZelda. But instead of being hunted by the evil forces of Ganon this Lync is hunted by poorly sanitized HTML strings. The bad strings could allow cross-site scripting attacks that could run scripts in the context of the logged-on user. If you try to get the full Lync update through Automatic Update you won't find it.The update for Lync 2010 Attendee (user level install) has to be handled through a Lync session so the update is only available in the Microsoft Download Center. This one has escaped the dungeon and has been seen on a limited basis in the wild. (Just hiding under the sand like a Peahat waiting to get you.)


MS12-067 (KB 2742321)


Remote Code Execution in Sharepoint FAST Search Server 2010



You only need to worry about this patch if you have the Advanced Filter Pack enabled on your FAST Search Server 2010 for SharePoint,it's disabled by default. Exploitation of this vulnerability could allow an attacker to run arbitrary code in the context of a user account with a restricted token (Orange Rupee?). The flaw is actually in the Oracle Outside-In libraries licensed from by Microsoft. This is at least the second recent vulnerability we have seen in these libraries. While this one has not yet been seen in the wild Microsoft thinks that code to exploit this vulnerability is likely to exist within the next thirty days.


MS12-068 (KB 2724197)


Elevation of Privilege in Windows Kernel



I hate reading "all supported releases of MicrosoftWindows", it sends shivers up my spine like a Stalfos. However, this statement was closely followed by "except Windows 8 and Windows Server 2012", which isn't much consolation, but I'll take it. This is a classic elevation of privilege requiring an attacker to already have access to a system either through legitimate credentials or some other vulnerability. Once inside an attacker could use this vulnerability to gain administrator level access.


MS12-069 (KB 2743555)


Denial of Service in Kerberos



Unlike MS12-068 that affects just about everything MS12-069 is only found in Windows 7 and Server2008 R2. A specially crafted session request to the Kerberos server could result in a denial of service. If you have a properly configured firewall in place it will help protect your network from external attacks, sort of likeLink's shield protects against Tektites. Of course that won't do much good if the attacker is already inside your network.


MS12-070 (KB 2754849)


Elevation of Privilege in SQL Server


If you are running the SQL Server Reporting Service then you have a problem validating input parameters which if exploited could cause an elevation of privilege. The XSS filter in Internet Explorer 8, 9, and 10 can protect users against this attack ifit is enable in the Intranet Zone, which is not the default. You can enable it by going to Internet Options -> Security Settings -> Intranet Zone -> Custom Level -> Enable XSS Filter or just apply the patch offered through Automatic Updates. If you decide to do neither and a user clicks on a specially crafted link in email or browses to a specially crafted web page, well, game over.


"CanLink really destroy Ganon and save princess Zelda?

"Only your skill can answer that question. Good luck. Use the Triforce wisely."