This month’s patch Tuesday brings a set of three “critical” bulletins focused on Windows/web browser component vulnerabilities and six other bulletins rated “important”. In other words, two of the critical components are considered “Windows” components, but most likely would be attacked through the web browser. Also, the top priority bulletin patches the CVE-2012-1889 vulnerability being exploited not only by attackers targeting high value targets, but common-off-the-shelf/commodity exploit packs.
Kaspersky products detect malicious web pages exploiting CVE-2012-1889 with “HEUR:Exploit.Script.Generic”. Addition of a working exploit targeting MSXML Core Services 3.0 within IE6 and IE7 XPSP3 to the Metasploit Framework on June 12th helped make this one more mainstream. While it may seem that targeting XP would limit its reach, it’s important to note that various market share surveys and reports show that Windows XP continues to take major OS market share. Interestingly, the MS12-043 Bulletin addressing this vulnerability patches MSXML Core Services 3, 4, and 6, leaving out version 5. Versions 3 and 6 ship with Windows itself. Accordingly, msxml3.dll and msxml6.dll reside in c:windowssystem32 across all supported versions of Windows, while the other versions are installed by Microsoft Office and other software.
Also patching the potential for web client-side drive-by’s, MS12-045 addresses an MDAC vulnerability, reminiscent of MS06-014, one of the longest lasting, reliable, most heavily targeted client-side vulnerabilities in Microsoft technology. It was taken advantage of for years by the Russian Business Network, purchasers of MPack, and later others, distributing Torpig and Rustock, while the nascent exploit kit market was solidifying back in 2006. It continues to be included in some of the live exploit pack control panels that we see. We’ll see how this new MDAC issue compares.
The third of the bulletins fighting “critical” rated web client side vulnerabilities fixes a couple of newer vulnerability types being targeted (“Cached Object Remote Code Execution Vulnerability – CVE-2012-1522”, “Attribute Remove Remote Code Execution Vulnerability – CVE-2012-1524”) introduced by Internet Explorer version 9 itself. Versions 6, 7 and 8 do not maintain the vulnerable code.
With that, we leave you to your regularly scheduled patching.