Microsoft targets vulnerabilities in Windows, Internet Explorer and other products in its June security update.
Microsoft patched more than two-dozen security vulnerabilities across several
of its products.
The patches were included in seven
bulletins, three of which were rated "critical" and touch issues
related to Internet Explorer, .NET Framework and the Remote Desktop Protocol
(RDP). The other four bulletins are rated "important," though like
the critical ones they have all been given an exploitability index rating of 1,
meaning that the development of exploit code is likely.
The MS12-037 bulletin, which
contains 13 security fixes for Internet Explorer, is being regarded by
Microsoft and some security researchers as one of the most important to deploy
immediately. One of the vulnerabilities it fixes, CVE-2012-1875, is already
being used in limited attacks in the wild. The bulletin also fixes
CVE-2012-1876, which was used by VUPEN Security during the PWN2OWN contest held
early this year at CanSecWest.
"This is probably one of the
most severe bulletins because exploit code is likely to be created for one or
more of these vulnerabilities, which leads to the potential for drive-by
malware attacks across all versions of Internet Explorer," said Marc
Maiffret, CTO at BeyondTrust. "This, in our opinion, is one of the more
important sets of patches to roll out as soon as possible."
Another critical bulletin garnering
attention is MS12-036, which addresses a flaw in Remote Desktop that could
enable remote-code execution if an attacker sends a sequence of specially crafted
RDP packets to a vulnerable system. RDP is not enabled by default in Windows,
however, and systems that do not have it enabled are not at risk.
"This relates to MS12-020,
which had organizations on high alert in March after Microsoft issued warnings
that the vulnerability could be weaponized to result in widespread
attacks," noted Marcus Carey, security researcher at Rapid7.
"Up to now, MS12-020 has only
been exploited as a reliable denial-of-service attack; however, from what I
understand, MS12-036 may offer a more reliable attack vector for exploitation.
The silver lining is that after MS12-020, many organizations took preventative
measures to disable RDP, especially at egress points in their networks. If
organizations must run RDP on the Internet, they should test and deploy
MS12-020 patches as soon as possible."
The final critical bulletin dealt
with a .NET Framework vulnerability that could permit remote-code execution if
a user views a malicious Web page using a browser that can run XAML Browser
Applications (XBAPs). The vulnerability could also be used by Windows .NET
Framework applications to bypass Code Access Security (CAS) restrictions.
In addition to the bulletins,
Microsoft also released an advisory regarding a vulnerability in Microsoft XML
Core Services 3.0, 4.0, 5.0 and 6.0. According to Microsoft, the issue exists
when MSXML attempts to access an object in memory that has not been
initialized, which may corrupt memory and ultimately allow an attacker to
execute code. In a blog post, Angela Gunn of Microsoft's Trustworthy
Computing Group said that the investigation into the vulnerability is ongoing.
However, the company has released a workaround for anyone who believes they are