Security Experts:

Microsoft Plugs 23 Security Holes in May Patch Tuesday Update

Security researchers are warning Microsoft customers to keep their eyes on the critical bulletins in this month’s Patch Tuesday update.

“Bulletin MS12-029 is the most likely to be exploited,” Wolfgang Kandek, CTO of Qualys, told SecurityWeek. “It fixes a vulnerability in the RTF file format and can be executed in the preview pane of Microsoft Outlook in the Office suites 2003 and 2007. Since the preview pane does not require any user interaction, no opening of files, just going through the incoming e-mail, this vulnerability has the most potential to be exploited widely.”

Microsoft MS12-029 is just one of three critical bulletins in this release. All totaled, Microsoft issued patches to address 23 security bugs across its product line. However, the company is recommending administrators turn their attention to two of the seven bulletins first - MS12-034 and MS12-029. According to Microsoft, MS12-029 addresses a critical bug in Microsoft Office that could lead to remote code execution if the victim opens or previews a malicious RTF (Rich Text Format) file using a vulnerable version of Microsoft Office. An attacker could exploit the vulnerability by sending someone specially-crafted RTF-formatted data in an email message.

“The vulnerability could be exploited when the specially crafted RTF email message is previewed or opened in Outlook while using Microsoft Word as the email viewer,” according to the company. “An attacker could also exploit the vulnerability by sending a specially-crafted RTF file as an attachment and convincing the user to open the specially crafted RTF file. Note that by default, Microsoft Word is the email reader in Outlook 2007. In a web-based attack scenario, an attacker could host a website that contains an Office file that is used to attempt to exploit this vulnerability.”

MS12-034 includes 10 fixes across several product lines that were bundled together as part of an update meant to put the finishing touches on a vulnerability exploited by the infamous Duqu malware. Believed to be related to Stuxnet, Duqu was spotted in September exploiting a vulnerability affecting Microsoft Word. Though the company patched the bug with MS11-087, other Microsoft products were discovered to contain the same vulnerability as well.

“At first glance, MS12-034 may seem to be addressing a number of unrelated vulnerabilities in unrelated products,” blogged Jonathan Ness, from Microsoft Security Response Center Engineering. “For example, why would a keyboard layout handling vulnerability be addressed in the same update as a Silverlight issue? However…we needed to address the font parsing vulnerability (CVE-2011-3402) in a number of different products.”

“As each new product was added to the security update package, the vulnerabilities planned-to-be-addressed in the same binary were also included,” he continued. “Addressing CVE-2011-3402 required us to service ogl.dll, gdiplus.dll, win32k.sys, Silverlight, .NET Framework, etc. Because gdiplus.dll was being addressed, several other fixes that were scheduled to be released in the same binary were looped in to this update.”

“MS12-034 is sheer craziness—it’s going to be the most interesting and most painful part of the day for most IT security teams,” said Tyler Reguly, technical manager security research and development at nCircle. “There are multiple Office and .NET patches due to the overlap of products in this bulletin. When you get past MS12-034, it’s a fairly normal month with the expected local privilege escalation issues and Office patches.”

The third critical bulletin is MS12-035, which patches two critical vulnerabilities in the .NET Framework that could allow an attacker to execute code if a victim views a specially-crafted webpage using a Web browser that can run XAML Browser Applications (XBAPs).

“On desktop systems organizations should install as quickly as possible the MS12-029, and the two other Office based vulnerabilities plus the XBAP fix, as they address the easiest attack vectors,” Kandek said. “All others can wait a little longer if that helps the organizations change management. MS12-034 contains patches for many of Microsoft's software packages and it makes sense to perform additional test cycles to see if any compatibility issues occur.”

The remaining security bulletins are rated ‘important’ and address issues in Microsoft Windows and Microsoft Office, and deal with remote code execution and privilege escalation issues.