CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, October 2012 – Legend of Zelda Edition

Hope you enjoyed last months light patch Tuesday with only two bulletins as this month we are right back at it with seven bulletins covering everything from Elevation of Privilege, Denial of Service and Remote Code Execution. There is only one critical update this month but there is also the enforcement of 1024 bit digital certificates. Probably the most interesting patch this month involves Lync, Microsoft's enterprise messaging system, if only for the reason that every time I read Lync I think Link, as in the hero of Nintendo's Legend of Zelda which I spent way too much time playing back in the eighties.


Much like Link needs to get keys to open doors in Hyrule Microsoft products will often use certificates to allow communication between products. As of today Microsoft products will reject any certificates with RSA keys of less than 1024 bits. Microsoft has made an optional patch available for the last two months to enforce this rule but now it is no longer optional. Even if you are not using 512 bit keys this is an excellent opportunity to update all your keys to 1024 bits or even more.


MS12-064 (KB 2742319)


Remote Code Execution in Microsoft Word



A specially crafted RTF file could allow an attacker to take complete control of a system to install their own programs, delete data or even create new accounts. (Sounds like something a Wall Master would do.) The vulnerability is present in most versions of Microsoft Word 2003, 2007, 2010 and even SharePoint Server 2010 SP1 and is caused by how Word handles memory when parsing certain files. This one can be a little tricky because Microsoft Word is set as the default mail reader in Outlook 2007 and 2010, which means that an attacker could leverage email as the attack vector to get you to open the specially crafted RTF file. This vulnerability has been hidden away in a dungeon (probably the Manji Dungeon) and has not yet been seen in the wild.


MS12-065 (KB 27546070)


Remote Code Execution in Microsoft Works


The last time I used Microsoft Works was version 2.0 on myMac SE so I was surprised to learn that the current version is 9.0 and is still a supported and even a shipping product. Works 9.0 is still available at retail but is mostly used by OEMs to include with systems. If you are using Works 9.0you will want to pay attention to this one especially if you try to open Microsoft Word files with your version of Works. When Works attempts to convert a Word file it can potentially cause system memory corruption that could allow an attacker to execute arbitrary code. If you are using an older version of Microsoft Works you should really think about upgrading. Microsoft doesn't mention if the vulnerability exists in older versions or not since they are no longer supported, so to be safe you will want to upgrade.


MS12-066 (KB 2741517)


Elevation of Privilege in HTML Sanitation



"But wait! All was not lost. A young lad appeared. He skillfully drove off Ganon's henchmen and saved Impa from a fate worse than death. His name was Link."


OK, this one affects more than just Lync but also InfoPath, Communicator, SharePoint, Groove and Office Web Apps. However as soon as I read Lync I immediately thought of our intrepid hero and his quest to save the lovely princess Zelda. But instead of being hunted by the evil forces of Ganon this Lync is hunted by poorly sanitized HTML strings. The bad strings could allow cross-site scripting attacks that could run scripts in the context of the logged-on user. If you try to get the full Lync update through Automatic Update you won't find it. The update for Lync 2010 Attendee (user level install) has to be handled through a Lync session so the update is only available in the Microsoft Download Center. This one has escaped the dungeon and has been seen on a limited basis in the wild. (Just hiding under the sand like a Peahat waiting to get you.)


MS12-067 (KB 2742321)


Remote Code Execution in SharePoint FAST Search Server 2010



You only need to worry about this patch if you have the Advanced Filter Pack enabled on your FAST Search Server 2010 for SharePoint, it's disabled by default. Exploitation of this vulnerability could allow an attacker to run arbitrary code in the context of a user account with a restricted token (Orange Rupee?). The flaw is actually in the Oracle Outside-In libraries licensed from by Microsoft. This is at least the second recent vulnerability we have seen in these libraries. While this one has not yet been seen in the wild Microsoft thinks that code to exploit this vulnerability is likely to exist within the next thirty days.


MS12-068 (KB 2724197)


Elevation of Privilege in Windows Kernel



I hate reading "all supported releases of Microsoft Windows", it sends shivers up my spine like a Stalfos. However, this statement was closely followed by "except Windows 8 and Windows Server 2012", which isn't much consolation, but I'll take it. This is a classic elevation of privilege requiring an attacker to already have access to a system either through legitimate credentials or some other vulnerability. Once inside an attacker could use this vulnerability to gain administrator level access.


MS12-069 (KB 2743555)


Denial of Service in Kerberos



Unlike MS12-068 that affects just about everything MS12-069 is only found in Windows 7 and Server2008 R2. A specially crafted session request to the Kerberos server could result in a denial of service. If you have a properly configured firewall in place it will help protect your network from external attacks, sort of like Link's shield protects against Tektites. Of course that won't do much good if the attacker is already inside your network.


MS12-070 (KB 2754849)


Elevation of Privilege in SQL Server


If you are running the SQL Server Reporting Service then you have a problem validating input parameters which if exploited could cause an elevation of privilege. The XSS filter in Internet Explorer 8, 9, and 10 can protect users against this attack if it is enable in the Intranet Zone, which is not the default. You can enable it by going to Internet Options -> Security Settings -> Intranet Zone -> Custom Level -> Enable XSS Filter or just apply the patch offered through Automatic Updates. If you decide to do neither and a user clicks on a specially crafted link in email or browses to a specially crafted web page, well, game over.


"CanLink really destroy Ganon and save princess Zelda?

"Only your skill can answer that question. Good luck. Use the Triforce wisely."



Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

This is Part 8 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...

Read More

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More