Microsoft Fixes 19 Security Flaws in November Patch Tuesday Update

From IE 9 to Windows, this month's patches cross a number of Microsoft products and include four critical updates out of the six security bulletins the company released on Nov. 13.

Microsoft pushed out six security bulletins covering 19 vulnerabilities across Windows, Internet Explorer and several other products.

Four of the six updates are rated "Critical," Microsoft's highest threat rating. Of those four, two should get immediate attention – MS12-071 and MS12-075, the company said.

MS12-071 addresses three security issues in Internet Explorer (IE), none of which are known to be currently under attack. However, Microsoft indicated it expects exploit code to be available soon, and successful exploitation of these issues would allow an attacker to remotely execute code. Only IE 9 is affected.

"Microsoft rates its exploitability as "1," which means that it is relatively easy to develop the code necessary to take advantage of one of the four fixed vulnerabilities," blogs Qualys CTO Wolfgang Kandek. "However, the problem only affects IE 9 and anybody that is running a different version (7, 8 or 10), which is 90 percent of all enterprise IE users, can move on to the next vulnerability."

MS12-075, however, addresses three vulnerabilities in the Windows kernel in all supported versions of Windows. The most severe of the flaws permits a successful hacker to remotely execute code on the compromised system if the attacker can lure the user to a Website with a maliciously-crafted TrueType font file embedded.

"Microsoft has been dealing with font issues for a while," said Paul Henry, security and forensic analyst at Lumension.”True Type Fonts can be embedded all over the place and Windows kernel mode driver renders the font. If these fonts are embedded in a browser or a Word document, for example, it’s rendered in the kernel mode driver and winds up becoming a kernel mode exploit."

"This is a very effective attack mode, so Microsoft tries to close out font issues quickly," he added. "This is as high a priority as MS12-071. Those two bulletins will be the two biggest attack vectors in this batch."

The other two critical bulletins address issues in the Windows shell (two vulnerabilities) and the .NET Framework (five vulnerabilities). In the case of the Windows shell issues, the vulnerabilities could allow remote code execution if a user browses to a specially-crafted briefcase in Windows Explorer.

An attacker who successfully exploited this vulnerability could run arbitrary code as the current user. The vulnerabilities in .NET Framework could also allow remote code execution if an attacker convinces the user of a target system to use a malicious proxy auto configuration file and then injects code into the currently running application, according to Microsoft.

Though these two bulletins are listed as critical, due to the complexity of exploitation, they are not a serious risk to most organizations, opined Rapid7 Security Researcher Marcus Carey.

"To launch a successful attack against either of the vulnerabilities listed requires very specific configurations and environments," he said. "I call this sort of attack scenario, 'the stars must all align attack vectors.'"

The final two bulletins deal with vulnerabilities in Microsoft Excel and Internet Information Services (IIS), and are rated 'Important' and 'Moderate' respectively.

The holidays are here, which means many businesses may be hesitant to implement patches for fear of adversely impacting their environments.

"Many financial and retail organizations go into IT ‘lock-down’ for the last few months of the year," said Andrew Storms, director of security operations, at nCircle. "They don’t want to introduce any changes that may impact their ability to process transactions during the holiday shopping season.

It’s likely that none of today’s patches will be applied to the server infrastructure of these organizations, so Microsoft’s comprehensive mitigation advice is critical. It allows these organizations to mitigate the security risk without compromising downtime.”