“If you were hoping for a nice relaxing Patch Tuesday after the holidays, well, sorry to disappoint you,” warns Ziv Mador, director of security research at SpiderLabs.
“We’re looking at 7 bulletins,” Lamar Bailey, director of security research and development with nCircle, told Infosecurity, “all of them affecting Windows itself. There are a few important ones involving privilege escalation and denial of service – but it’s bulletins one and two that are the most concerning. The first one only really affects Windows 7, but the second one pretty much affects every version of Windows, including Windows 8.” Bulletin 2, he said, “is the one that’s a bit scary, because it must involve Windows Core for it to be that widespread.”
Wolfgang Kandek from Qualys makes the same point: “It is likely that [Bulletin 2 concerns] a vulnerability in one of the base libraries of Windows that is widely used, such as Windows XML Core Services, which had its last fix in July of 2012 under MS12-043.” Ziv Mador agrees: “This is most likely an issue in one of the base libraries meaning it will have a wide impact.”
What is missing from these bulletins is anything directly affecting the 0-day IE flaw discovered over the holiday and temporarily patched with a Microsoft Fix-it. Since Fix-its are manually implemented rather than pushed out automatically, this is going to be a slow process. “For the non-technical user base, then IT is going to to have to do it for them; and that’s going to take time,” commented Lamar Bailey. “Exploitation is still in its infancy, but it’s beginning to grow. I think we’re going to see more of it over the next few weeks, probably used in targeted attacks; but it’s not a simple plug-and-play exploit.”
Paul Henry, a security and forensic analyst at Lumension, has an interesting thought. “Microsoft often fixes one thing to address another, so it’s possible that they are correcting the issue with IE at the operating system level with one of the patches. If the browser is just a path to an underlying vulnerability in the operating system, then this issue will likely be fixed by one of the patches.” But nCircle’s Andrew Storms is doubtful: “It would have taken a miracle for Microsoft to patch a zero-day one week after a zero-day advisory.” It’s not the fixing, adds Bailey, “but testing the patch on all the different versions of IE is going to take many weeks.”
If this isn’t enough for one month, Microsoft issued a separate advisory yesterday. “There are also active ongoing attacks using fraudulent certificates issued by TURKTRUST Inc,” explained Mador. “The fraudulent certs were issued for *.google.com and could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. Microsoft has already updated the Certificate Trust List. If you are using the automatic updater of revoked certificates you are all set. If not, or you are still using XP or Server 2003, you will find an update for you in Microsoft Update.”