There is only one critical bulletin this month, MS12-004, which covers two vulnerabilities related to Windows Media files. A specially crafted malicious media file could allow remote code execution, but only with the privileges of the logged in user.
Microsoft classifies MS12-001 as a security feature bypass and considers it important along with the other five bulletins.
Windows programs are designed to use a special error handler if they crash called SafeSEH. There is a bug in SafeSEH that could allow malicious applications compiled with Visual C++ .NET 2003 can manipulate the exception handler to execute arbitrary code.
Bulletins MS12-002 and MS12-005 both cover remote code execution vulnerabilities that could allow an attacker to run arbitrary code as the logged in user.
MS12-003 is a bit obscure and could allow elevation of privilege on systems older than Windows 7 or Windows 2008 R2 which also have Chinese, Japanese or Korean system locales.
MS12-006 tackles the problems introduced last October by the BEAST attack against SSL/TLS1.0. Microsoft has updated their libraries to be sure that TLS 1.1/TLS 1.2 and all ciphers which do not use CBC (Cypher Block Chaining) mode are not vulnerable.
MS12-007 affects system administrators who are using Microsoft’s AntiXSS (Cross Site Scripting) libraries to sanitize input on their websites. If your web team uses Microsoft AntiXSS you should apply this update as soon as possible.
Adobe also released their quarterly update for Adobe Acrobat and Adobe Reader. This month they patch six CVEs, including the two they had rushed out as out-of-band fixes last year for Adobe Acrobat/Reader 9 users.
The other four vulnerabilities could lead to remote code execution which is always a bad thing. Adobe have bundled in the security fixes for the embedded version of Flash that is included in Adobe Reader as well.
I would like to point out one thing before you run off to start patching and testing your systems. You’ll notice that most of the Microsoft bulletins can only execute code with the privileges of the logged in user.
Despite all the complaints about UAC and the other methods Microsoft supplies for elevating privilege, it is critical to take advantage of these technologies if your users occasionally require administrative rights.
Not being an admin significantly lowers your risk. There wasn’t really a good excuse for giving everyone admin rights back in the days of Win XP, so there’s certainly no excuse in 2012.
Only administrators should have administrator rights, and they should be logged in as administrators only when they are actually involved in administration tasks. (It’s amazing how obvious this sounds when written out that way, isn’t it?)
Being slack with admin privileges means you’re putting yourself – and and everyone around you on the internet – at needless risk.
Leave a reply