Microsoft plugged a pair of vulnerabilities in Internet Explorer 9 today as part of a sizeable Patch Tuesday update.
All totaled, Microsoft fixed 16 security vulnerabilities, including a bug affecting Microsoft XML Core Services that is being exploited in the wild. The patches are spread out across nine bulletins, three of which are rated ‘critical.’ The IE9 bulletin, MS12-044, fixes two bugs that can be exploited to remotely execute code. Though Microsoft said that neither has been seen being targeted in the wild, Rapid7 Security Researcher Marcus Carey told SecurityWeek it is likely that reliable exploits will be available soon.
“Microsoft has estimated that a reliable exploit could be available within 30 days,” he said, “which means they believe it has good potential for remote code execution…We have learned from past experience that when it comes to client-side browser bugs, a lot of effort is spent on actualizing exploits to take advantage of them.”
Attackers have already begun targeting a remote code execution issue affecting XML Core Services. The patch fixes the issue on XML Core Services 3.0, 4.0 and 6.0. This bulletin, MS12-043, is rated ‘Critical’, and should be considered a priority, security experts said.
“If you are paying close attention, you’ll notice that the XML version 5 patch for the bug isn’t shipping today,” opined Andrew Storms, director of security operations at nCircle. “The fix for this version is probably not ready yet, so Microsoft decided to deliver the other patches. So far, all the attacks in the wild utilize XML version 3, so this release, even though not totally complete, seems like a no-brainer.”
The final critical bulletin, MS12-045, addresses a vulnerability in Microsoft Windows that, like the other critical bugs, can be exploited to remotely execute code. According to Microsoft, the vulnerability exists in the way that Microsoft Data Access Components (MDAC) accesses an object in memory that has been improperly initialized.
“MDAC is something that has been exploited plenty of times in the past including vulnerability CVE-2006-0003, which was leveraged by the vast majority of exploit toolkits,” said Marc Maiffret, CTO of BeyondTrust. “This new MDAC vulnerability looks to be something that also will make its way into exploit toolkits sooner than later given it affects most OS’s and is a straight forward to exploit.”
The remaining bulletins for this month impact Microsoft Office, Windows, Microsoft Server Software and Microsoft Developer Tools. Each of those six bulletins classified as ‘Important.’
In addition to the patches, Microsoft released Security Advisory 2719662, which allows system administrators to disable the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7 with one Fix it click.
“As many of you are aware, Windows 8 will deprecate the Sidebar and Gadgets, and Gadget developers are already shifting their efforts to the online Windows Store,” blogged Yunsun Wee of Microsoft’s Trustworthy Computing group. “Meanwhile, we’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run.”
The company also issued Security Advisory 2728973, which places certain digital certificates in the Untrusted Certificate Store.
“Though we have no indication that those had been compromised or misused in any fashion, as a precautionary measure we’ve revoked them,” Wee blogged. “A subset of those was in addition found to have code signing permissions, which has earned them a place in the Untrusted Certificate Store.”