Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Fixes 16 Security Vulnerabilities in Patch Tuesday Update

Microsoft plugged a pair of vulnerabilities in Internet Explorer 9 today as part of a sizeable Patch Tuesday update.

Microsoft plugged a pair of vulnerabilities in Internet Explorer 9 today as part of a sizeable Patch Tuesday update.

All totaled, Microsoft fixed 16 security vulnerabilities, including a bug affecting Microsoft XML Core Services that is being exploited in the wild. The patches are spread out across nine bulletins, three of which are rated ‘critical.’ The IE9 bulletin, MS12-044, fixes two bugs that can be exploited to remotely execute code. Though Microsoft said that neither has been seen being targeted in the wild, Rapid7 Security Researcher Marcus Carey told SecurityWeek it is likely that reliable exploits will be available soon.

“Microsoft has estimated that a reliable exploit could be available within 30 days,” he said, “which means they believe it has good potential for remote code execution…We have learned from past experience that when it comes to client-side browser bugs, a lot of effort is spent on actualizing exploits to take advantage of them.”

Attackers have already begun targeting a remote code execution issue affecting XML Core Services. The patch fixes the issue on XML Core Services 3.0, 4.0 and 6.0. This bulletin, MS12-043, is rated ‘Critical’, and should be considered a priority, security experts said.

“If you are paying close attention, you’ll notice that the XML version 5 patch for the bug isn’t shipping today,” opined Andrew Storms, director of security operations at nCircle. “The fix for this version is probably not ready yet, so Microsoft decided to deliver the other patches. So far, all the attacks in the wild utilize XML version 3, so this release, even though not totally complete, seems like a no-brainer.”

 The final critical bulletin, MS12-045, addresses a vulnerability in Microsoft Windows that, like the other critical bugs, can be exploited to remotely execute code. According to Microsoft, the vulnerability exists in the way that Microsoft Data Access Components (MDAC) accesses an object in memory that has been improperly initialized.

“MDAC is something that has been exploited plenty of times in the past including vulnerability CVE-2006-0003, which was leveraged by the vast majority of exploit toolkits,” said Marc Maiffret, CTO of BeyondTrust. “This new MDAC vulnerability looks to be something that also will make its way into exploit toolkits sooner than later given it affects most OS’s and is a straight forward to exploit.”

 The remaining bulletins for this month impact Microsoft Office, Windows, Microsoft Server Software and Microsoft Developer Tools. Each of those six bulletins classified as ‘Important.’

Advertisement. Scroll to continue reading.

In addition to the patches, Microsoft released Security Advisory 2719662, which allows system administrators to disable the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7 with one Fix it click.

“As many of you are aware, Windows 8 will deprecate the Sidebar and Gadgets, and Gadget developers are already shifting their efforts to the online Windows Store,” blogged Yunsun Wee of Microsoft’s Trustworthy Computing group. “Meanwhile, we’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run.”

The company also issued Security Advisory 2728973, which places certain digital certificates in the Untrusted Certificate Store.

“Though we have no indication that those had been compromised or misused in any fashion, as a precautionary measure we’ve revoked them,” Wee blogged. “A subset of those was in addition found to have code signing permissions, which has earned them a place in the Untrusted Certificate Store.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.