Microsoft plans to issue fixes for 25 security vulnerabilities in its upcoming June 2012 Patch Tuesday update.
The fixes will spread across seven bulletins – three of which are critical – affecting vulnerabilities in Microsoft Windows, Internet Explorer, Visual Basic for Applications, Dynamics A, and the .NET Framework. The critical bulletins address issues in Windows, Internet Explorer and the .NET Framework. The remaining bulletins are classified as ‘Important.’
Wolfgang Kandek, CTO of Qualys, said users should focus on the three critical bulletins, Bulletin 4 – which deals with Microsoft Office – and the recent Microsoft update addressing the use of fraudulent Microsoft digital certificates.
“If you have not installed the update in Security Advisory 2718704 yet, you should plan on rolling it out as quickly as possible at least together with the other critical patches next week,” he said. “It is a simple patch that only removes the offending certificates from the system certificate store and will harden the OS against the expected use of the Flame signing technique by future Malware.”
The certificate issue came up during the ongoing investigation of the Flame attacks, when it was discovered components of Flame were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. Those certificates were then used in combination with a man-in-the-middle attack to utilize the Windows Update mechanism to propagate the malware on a local network.
Hardening Windows Update
In addition to revoking trust in the certificate authorities at the center of the attacks, Microsoft also pledged to harden the Windows Update mechanism to prevent other attackers from taking the same action.
“To attack systems using Windows Vista and above, a potential attacker would have needed access to the now invalid Terminal Server Licensing Service certificates and the ability to perform a sophisticated MD5 hash collision,” explained Mike Reavy, senior director at Microsoft Security Response Center. “On systems that pre-date Vista, an attack is possible without an MD5 hash collision. In either case, of course, an attacker must get his signed code onto the target system. This can be done if the client’s Automatic Update program receives the attacker’s signed package because such packages are trusted so long as they are signed with a Microsoft certificate. Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack.”
Microsoft is addressing this issue in two ways. First, the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client. Second, the company said it is strengthening the communication channel used by Windows Update “in a similar way.”
The changes to the Windows Update and Windows Server Update Services will be rolled out during the next few days, Microsoft said.
The Patch Tuesday updates are slated for June 12.