Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches 26 Vulnerabilities in August Security Update

Microsoft released nine security bulletins today addressing 26 vulnerabilities in its products.

Five of the bulletins are rated ‘critical’, and cover issues in Windows, Internet Explorer, Microsoft SQL Server, Microsoft Exchange, Server Software and Developer Tools. From a priority standpoint, Microsoft recommended organizations deploy three critical updates first – MS12-060, MS12-052 and MS12-054.

Microsoft released nine security bulletins today addressing 26 vulnerabilities in its products.

Five of the bulletins are rated ‘critical’, and cover issues in Windows, Internet Explorer, Microsoft SQL Server, Microsoft Exchange, Server Software and Developer Tools. From a priority standpoint, Microsoft recommended organizations deploy three critical updates first – MS12-060, MS12-052 and MS12-054.

Microsoft Patch Tuesday August 2012“At the top of the Microsoft list is another MSCOMCTL-related bug,” said Andrew Storms, director of security operations at nCircle.

Storms was referring to MS12-060, which addresses a vulnerability in Windows common controls that could enable remote code execution through drive-by downloads.

 “There is some good news this month—that the attack vector associated with the MSCOMCTL patch is an RTF file—and the victim has to explicitly open the file to allow the exploit,” he said. “If you can’t get this patch rolled out or mitigation applied quickly, you should remind users about the dangers of opening attachments from unknown persons.”

MS12-052 addresses four vulnerabilities affecting Internet Explorer. None of them are known to be under attack, however successful exploitation via drive-by downloads could result in remote code exaction. Like MS12-052, MS12-054 also addresses four vulnerabilities, though in this case in Microsoft Windows. The most severe of the bugs could enable an attacker to remotely execute code if the attackers send a specially-crafted response to a Windows print spooler request.  

“MS12-054 contains a sprint spooler bug with a potentially wormable condition, Storms said, meaning attackers are going to focus carefully on the vulnerability “to uncover all of its potential.”

“This is something that predominately affects small business and campus locations where Windows computers are configured in workgroups,” he said. “If this describes your business, deploy this patch as soon as you can.”

The other two critical bulletins deal with vulnerabilities in Microsoft Exchange Server WebReady Document Viewing and the Remote Desktop Protocol.  By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system, and systems that do not have RDP enabled are not at risk, according to Microsoft.

Advertisement. Scroll to continue reading.

The remaining bulletins are rated ‘Important’ and address issues in Windows and Office.

In the video below, Qualys CTO Wolfgang Kandek and Amol Sarwate, vulnerability labs director at Qualys, discuss the Microsoft Patch Tuesday release for August 2012, along with other updates released by Adobe.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.