Microsoft Releases Critical IE, Word Fixes on Year's Final Patch Tuesday

Five of the seven bulletins issued this month are rated "critical," Microsoft's most severe rating.

Microsoft issued seven security bulletins today as part of its final Patch Tuesday release for the year.

In all, the update fixes 12 vulnerabilities affecting Internet Explorer, Windows, Microsoft Word and Windows Server. According to Microsoft officials, the most pressing fixes are included in MS12-077 and MS12-079, which deal with issues in Internet Explorer and Microsoft Word, respectively. Neither vulnerability is known to be under attack, the company said.

"The Microsoft Internet Explorer code maintains three different use-after-freevulnerabilities that are being patched this month," blogged Kaspersky Lab Expert Kurt Baumgartner. "This 'use-after-free' category of bugs is continuing to prove very difficult to stamp out, even in meaty, prevalent attack vectors like Internet Explorer. It was this sort of vulnerability that was abused in the 2010 Aurora cyber-espionage attacks on Google, Adobe and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark."

The Word vulnerability rests in the way that affected Microsoft Office software parses specially crafted Rich Text Format (RTF) data. According to Microsoft, the vulnerability can be exploited to enable remote code execution if a user opens a specially crafted RTF file using a vulnerable version of Microsoft Office.

"This one is interesting from an attacker perspective as a victim can be compromised if they preview or open an email message in Outlook while using Microsoft Word as the email viewer," said Marcus Carey, security researcher at Rapid7. "Since it involves Outlook, which is a primary business tool in many organizations, this would be number two on my to-do list."

The remaining "critical" bulletins are MS12-078, affecting Windows; MS12-080, impacting Microsoft Exchange Server; and MS12-081 in Windows. Each of the bulletins address issues that, if exploited, allow attackers to remotely execute code on the compromised machine.

A recurring vulnerability tucked into the Patch Tuesday update is the TrueType font-parsing issue addressed by MS12-078, said Marc Maiffret, CTO of BeyondTrust.

"We've continually seen TrueType and other font-parsing bugs get patched over the past year, since the arrival of state-sponsored malware targeting these types of bugs," he said. "This is the most important patch to get rolled out this month, since malicious TrueType fonts can be embedded in documents as well as other mediums. This has been shown to be an effective method of exploitation, so be sure to patch this one immediately."

Rounding out the list of patches are two bulletins rated "important" that address issues in Windows. MS12-082 resolves a vulnerability in the way DirectPlay handles specially crafted content. If an attacker gets a user to view a malicious Office document with embedded content, the vulnerability could potentially be exploited to allow remote code execution. The final vulnerability, MS12-083, could be exploited to permit an attacker to bypass a security feature in Windows due to Windows' failure to properly check the validity of certificates.

Barring an emergency update, the December Patch Tuesday brings the year's final tally of security bulletins to 83. This is down from 100 in 2011 and 106 in 2010.

"Maybe even more important than the raw numbers is the more regular release rhythm that Microsoft set this year," blogged Wolfgang Kandek, CTO of Qualys. "We see this as a clear sign of a more mature process."