For a month now, Microsoft users have known about a critical XML flaw that has left their systems at risk. Today in Microsoft’s July Patch Tuesday update, that XML flaw thas been partially addressed in one of nine security bulletins issued by Microsoft. The security bulletins also address critical updates for flaws in Internet Explorer and Microsoft Data Access Components (MDAC).
The MS12-043 bulletin details the Microsoft XML Core Services vulnerability that was first revealed in the June Patch Tuesday update. That flaw has been exploited in the wild over the past month. While Microsoft is now issuing a patch, it doesn’t cover all possible vulnerable XML scenarios. The patch fixes Microsoft XML Core Services 3.0, 4.0, and 6.0 — but it does not patch version 5.0, which is still widely used and deployed in Microsoft’s Office products.
“My guess is that a patch for XML 5 will come out next month and the Microsoft Office team was just not able to get a patch out in time,” Wolfgang Kandek, CTO of Qualys, told eSecurity Planet. “So the risk now is that attackers will change their code to attack XML version 5.”
Kandek noted that the vulnerability in XML 5 is the same as it is in XML 3, 4, and 6. As such, will be fairly simple for attackers to target.
However, Microsoft is not leaving its users entirely exposed to the XML 5 vulnerability. The company has issued a fix-it patch for XML 5 that provides a band-aid approach to addressing the flaw. Amol Sarwate, Director of Vulnerability Labs at Qualys, told eSecurity Planetthat a fix-it patch is often just a killbit — a piece of code that restricts the ability of a function to operate. It is Sarwate’s understanding the fixit is as good as a patch in actually limiting the risk of the vulnerability.
That said, Kandek noted that Microsoft’s fixit patches are not uniformly deployed in most enterprise organizations. In his view, the majority of organizations wait for an official patch. While the fixit can mitigate the risk, Kandek noted that web gateways that filter traffic can also be of use. The XML flaw is typically triggered through web browsing — and if an enterprise is already filtering out bad traffic, there is the potential to restrict access to the malicious sites that would trigger the XML flaw.
IE Fixes Accelerate
The July Patch Tuesday release is also notable for a critical Internet Explorer update MS12-044, fixing two vulnerabilities. The two vulnerabilities are a cached object vulnerability and an attribute remove vulnerability, both of which could result in arbitrary remote code execution.
“The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory,” Microsoft states in its MS12-044 advisory.
For the most part, Microsoft has kept to a two-month release cycle for IE updates in recent years. Microsoft also patched IE in June, making this month’s update a rare back-to-back event. Going forward, Microsoft will be accelerating their process for IE patching to reduce the time lag between vulnerability disclosure and patch.
“Usually, Microsoft sticks to an extensive two month test cycle for Internet Explorer, so that’s why we’ve only seen them every other month,” Andrew Storms, director of security operations for nCircle, said in a email sent to eSecurity Planet. “It’s good to know that Microsoft can deliver IE patches faster, but IT security teams are probably less than thrilled, since they are going to see a lot more IE patches, including the one released today.”
While not directly an IE flaw, the MS12-045 bulletin detailing a vulnerability Microsoft Data Access Component is also a browser related issue.
“The vulnerability could allow remote code execution if a user views a specially crafted webpage,” Microsoft warns in its MS12-045 advisory. “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.”