Microsoft's May Patch Tuesday update is now available, with seven security bulletins (three rated Critical) that deliver 23 fixes across Windows, Office, Silverlight, and the Microsoft .NET Framework.

At the top of the list is MS12-034, a combined security update for Microsoft Office, Windows, .NET Framework, and Silverlight. It's an update that addresses vulnerabilities first brought to light by the Duqu malware that surfaced in 2011. Microsoft first patched for Duqu in December 2011. With today's update, Microsoft is addressing multiple "Sons of Duqu" vulnerabilities by patching copies of the code that were found elsewhere in the Microsoft code base.

"This is by far one of the largest security bulletins Microsoft has ever released," said Jason Miller, manager of research and development for VMware, in an email statement to eSecurity Planet.

The MS12-034 bulletin fixes ten vulnerabilities but it has a very wide exposure. Millers noted that the bulletin covers:

  • 72 Microsoft operating systems / service pack combinations
  • 31 Microsoft .NET installation versions and types
  • 9 Microsoft Office installation versions and types
  • 6 Microsoft Silverlight installation versions and types

"Five months ago, we released security update MS11-087 to address CVE-2011-3402, a vulnerability that was being exploited by the Duqu malware to execute arbitrary code when a user opened a malicious Office document," wrote Jonathan Ness of Microsoft Security Response Center Engineering in a blog post on TechNet. "As you can read from the SRD blog post we published at the time, this vulnerability was due to an insufficient bounds check within the font parsing subsystem of win32k.sys. In the time since we shipped MS11-087, we discovered that several Microsoft products contained a copy of win32k.sys's font parsing code. Unfortunately, each copy of the code also contained the vulnerability addressed by MS11-087."

To address these "Sons of Duqu" vulnerabilities, Microsoft Security Response Center Engineering worked with Microsoft Research to develop a "Cloned Code Detection" system to find any instance of the vulnerable code in any shipping product, Ness wrote.

Critical Vulnerability Affecting Word and Outlook

While MS12-034 has broad implications, there's another security bulletin in May's Patch Tuesday update that is even more critical for most organizations, Qualys CTO Wolfgang Kandek wrote in an email to eSecurity Planet. Kandek pointed to MS12-029, a vulnerability in Microsoft Word that could allow remote code execution without requiring user interaction.

MS12-029 is rated critical because "simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit," Kandek wrote.

Marcus Carey, security researcher at Rapid7, noted in an email to eSecurity Planet that the Office update affects all supported editions of Microsoft Word 2003, Microsoft Office 2008 for Mac, and Microsoft Office for Mac 2011.

"In light of the recent uptick in Mac vulnerability reporting, I suspect we will be hearing about this in the future if Mac users fail to patch this vulnerability," Carey wrote. "Mac users should start paying more attention to third party updates such as Word and Java that directly affect their security."

Office is also tagged for an additional set of vulnerabilities in MS12-030.

Regarding MS12-030, the vulnerabilities "could allow remote code execution if a user opens a specially crafted Office file," Microsoft warned in its advisory. "An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Sean Michael Kerner is a senior editor at eSecurity Planet and, the news service of the IT Business Edge Network. Follow him on Twitter: @TechJournalist.

May 2012 Patch Tuesday Deployment Priority



"Bulletin Deployment Priority" slide image and "Update Tuesday" video courtesy of Microsoft Corp.