Microsoft is out with its monthly Patch Tuesday release, this time providing fixes for at least 26 vulnerabilities. The vulnerabilities are grouped into five critical and four important bulletins, addressing flaws spread across the Microsoft software portfolio.
At the top of the Patch Tuesday release list is a re-release of MS12-043 which affects Microsoft XML Core Services. The patch was originally part of the July Patch Tuesday update, but it did not include a fix for XML Core Services version 5.0.
As to why Microsoft did not include the XML 5 patch in the July update alongside the updates to XML versions 3.0, 4.0, and 6.0, it all has to do with timing and quality.
“Delivering comprehensive, high-quality security protections is an extensive process where we always strive to help protect customers as soon as possible by providing the necessary information for our customers to prepare for an upcoming release,” said Microsoft Trustworthy Computing Director Yunsun Wee in response to a question from eSecurity Planetabout the XML 5 patch delay.
For the third month in a row, Microsoft is also providing a cumulative Internet Explorer patch update. The August update fixes four different critical vulnerabilities that affect multiple versions of IE.
“The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer,” according to Microsoft’s security advisory. “An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user.”
The trend toward more routine monthly patching for IE is a change from the bi-monthly approach that was the norm in recent years for Microsoft.
“Microsoft is moving away from a rigid bi-monthly update cadence for Internet Explorer and will now push out monthly updates as appropriate,” Wee told eSecurityPlanet.
It’s also interesting to note that according to at least one security vendor, IE is no longer among the most vulnerable pieces of software. Qualys CTO Wolfgang Kandek told eSecurity Planet that the company’s latest Top 10 Vulnerabilities list no longer includes Internet Explorer.
“Apparently IT admins have been accelerating patching the browser and it is not even in the Top 50 anymore,” Kandek said. “The most prevalent vulnerable software continues to be Java, Adobe Reader, Flash, and the Windows OS by itself.”
Remote Code Execution
The August Patch Tuesday update also includes four bulletins that deal with vulnerabilities that could lead to remote code execution. Windows Remote Desktop, Windows Networking Components, Windows Common Controls, and Microsoft Exchange Server are all being patched for remote code execution risks.
The Exchange Server vulnerability is particularly noteworthy because it’s not actually a flaw with a Microsoft component, it’s a flaw in a third party component from Oracle.
“Microsoft security bulletin MS12-058 details a vulnerability within Microsoft Exchange that essentially allows for remote system compromise if you send a specifically-crafted email to an Exchange server where the email is then read by someone using Outlook Web Access,” BeyondTrust CTO Marc Maiffret said. “The reason this is possible is because of Microsoft’s usage of Oracle’s Outside In document parsing technology.”
According to Maiffret, Oracle’s Outside In technology has multiple vulnerabilities that result in code execution.
“This vulnerability is not only particularly critical because of its ability to compromise Exchange but also because of the track record that Oracle’s Outside In technology has from a security perspective,” Maiffret added. “Outside In has had multiple vulnerabilities in the past and by judging the types of vulnerabilities being found we believe there will be more found in the future and that means potentially more Microsoft Exchange compromise vulnerabilities to come.”