“The good news is that there are only six bulletins this month; the bad news is that four of those are rated as critical and five of them result in Remote Code Execution,” explains Ziv Mador, director of security research at Trustwave SpiderLabs. He is not alone in his concern and surprise at the amount, scope, and severity of the vulnerabilities. Marcus Carey, a security researcher at Rapid7 explains that this, “may come as a surprise to many who expected Windows 8 and Windows Server 2012 to be much more secure than legacy versions. The truth is,” he says, “Microsoft and other vendors have significant technical debt in their code base which results in security issues.” Paul Henry, a security and forensic analyst with Lumension, is disappointed. “These bulletins impact many current generation products and that’s concerning. Nothing is ever 100 percent secure... But it’s still ugly to see.”
Most attention is likely to focus on the Internet Explorer vulnerability, rated critical, which is vulnerable to drive-by exploitation. “This will be the top priority for both businesses and consumers,” commented Carey, “since an attacker would be able to compromise their system if the user visits a malicious web page.” Henry added that the patch “addresses 3 CVEs. Nothing is under active attack; however, this is a high priority update and should be considered the highest priority for those running Windows 7 or Vista.”
Three more of the bulletins are critical, affecting “all Microsoft operating systems, from Windows XP, Windows 7, Windows 8, all the way up to Windows Server 2012,” notes Carey. Henry explains more. One bulletin is a true type font issue. “It resolves 3 vulnerabilities, the worst of which is a remote code execution,” he said. “If these fonts are embedded in a browser or a Word document, for example, it’s rendered in the kernel mode driver and winds up becoming a kernel mode exploit. An authenticated, low-rights user could visit a website, the font gets rendered, and it gets rendered as ‘system’.” Henry considers this patch to be as important as the IE patch. “Those two bulletins,” he says, “will be the two biggest attack vectors in this batch.”
The third critical vulnerability is a Briefcase issue. “There are some prerequisites, but at the end of the day, it is a critical and ugly vulnerability, because it does affect XP through Windows 7. It’s another high priority,” he says. The fourth bulletin fixes 5 vulnerabilities in the.net framework. “Worst case scenario,” says Henry, “it allows for man-in-the-middle attacks, which could lead to a remote code execution. This is critical, but not your highest priority.”
The bulletin marked as ‘important’ is an Excel issue – a file format bug. It needs to be addressed, but cannot be exploited automatically. The final bulletin addresses an information disclosure issue via FTP. “It’s ‘moderate’,” says Henry. “which typically means attackers have to authenticate to pull off the attack. And we all recognize if they can authenticate, they pretty much own the machine anyway.”
Six bulletins, four of them critical, and most requiring a restart – all coming on this month’s Patch Tuesday.