Microsoft patches 23 Windows flaws, warns of risk of code execution attacks

Microsoft patches 23 Windows flaws, warns of risk of code execution attacks

Summary: The Patch Tuesday batch for May 2012 covers at least 23 documented vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.

SHARE:
TOPICS: Security, Microsoft
51

Microsoft wheeled out another batch of  security patches today to fix multiple dangerous security flaws that expose billions of Windows users to remote code execution attacks.

The Patch Tuesday batch for May 2012 covers at least 23 documented vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.

The company is urging Windows users to pay special attention to MS12-034, a "critical" bulletin that patches 10 distinct security holes.  Three of these vulnerabilities have already been publicly disclosed and Microsoft expects to see working exploit code released within 30 days.

The vulnerable code in the MS12-034 bulletin is linked to the Duqu malware that was used to spy on high-profile targets in Iran.

Some details:follow Ryan Naraine on twitter

  • MS12-034 (Microsoft Office, Windows, .NET Framework, and Silverlight): This security update resolves three publicly disclosed vulnerabilities and seven privately reported vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework, and Microsoft Silverlight. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.

Microsoft is also highlighting MS12-029 as another high-priority update that should be deployed immediately.   This bulletin, also rated critical, addresses a security flaw in Microsoft Word that could be exploited by hackers to take complete control of a vulnerable machine. Attack vectors for this issue include maliciously crafted websites and email, the company said.

Here's a glimpse at the rest of this month's updates:

  • MS12-035: This security update resolves two privately reported vulnerabilities in the .NET Framework. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS12-030: This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS12-031: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS12-032: This security update resolves one privately reported and one publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
  • MS12-033: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

51 comments
Log in or register to join the discussion
  • I'm going to be busy patching this week

    This week I have to patch my iPhone, iPad, and Windows laptop. Why can't Apple or MS make an OS that just works?

    Sorry, let me rephrase that for the Apple fanbois: Why can't MS make an OS that just works?

    PS I had to reboot my iPad after the patch. Haven't patched my iPhone yet but I'm guessing I'll have to reboot that too. Why can't Apple release patches that don't require reboots? Sorry, let me rephrase that for the Apple fanbois: Why can't Microsoft release patches that don't require reboots?

    PPS My laptop reboots faster than either of my iDevices. Windows 7 is great.
    toddbottom3
    • Updates

      Doesn't Linux, Mac and Unix all require updates for critical components and services?
      stackdaddy
      • Linux, Unix and Mac are Unix based, they also have updates, but not so much

        One of the biggest issues is applying Windows patches and rebooting them on 24X7 network servers. We just estimated that Windows requires between 80 to 100 hours of downtime per year compared to around 4 hours on Linux machines. If running SQL Server, the downtime actually increases to around 120 hours whereas it stays the same for Linux.
        GoForTheBest
      • The data shows you're wrong.

        @iRMX :

        [i]Linux, Unix and Mac are Unix based, they also have updates, but not so much[/i]

        Windows had the lowest vulnerability count. At least that was the case about a year ago. I haven't compared them lately.
        ye
      • Linux downtime

        Kernel updates require reboots. Rarely do these need to be applied, unless you've local users (who could then take advantage of privilege escalation vulnerabilities).

        We've plenty of internet facing servers (dns, smtp, pop/imap, http, vpn) and intranet servers (samba, dns, internet gateways, rsync) with up-times measured in years. All services patched.

        The MCSE wonders why Unix admins get frustrated with the windows patch/reboot cycle (and that stupid registry!)
        Richard Flude
      • Windows had the lowest vulnerability count

        Since when?
        guzz46
      • @ye

        >>Windows had the lowest vulnerability count. At least that was the case about a year ago. I haven't compared them lately.
        How do you count that count? Do you apply any severity weight to it? Do you include all distro packages or just a kernel? Debian/Ubuntu has about 30000 packages (my (X)ubuntu 12.04 gives 37461 packages )
        On the other hand remote code execution is quite rare. Patches are available for ALL packages including "third-parties" (in MS' lingo) and not just on the monthly basis.
        eulampius
      • Windows had the lowest vulnerability count

        @guzz46

        Windows XP was released august 2001. Until today (it still receives security updates) it has experienced 534 vulnerabilities.
        http://secunia.com/advisories/product/22/

        The Linux [i]kernel[/i] 2.6 was released in december 2003, i.e. it has had a lifespan which is more than 2 years shorter than Windows XP. Still, Linux [i]kernel[/i] has experienced 624 vulnerabilities.
        http://secunia.com/advisories/product/2719/

        Now, this is just the Linux [i]kernel[/i]. The Linux kernel is not functionally equivalent to Windows XP. For example, the Linux kernel does not include a Window manager, desktop, media player, video editing or a *browser*. You cannot reach the same functionality as XP using Linux without adding products which will rake up the vulnerabilities.

        Going over the list of XP vulnerabilities we find that vulnerabilities in the following software has been included in the Windows XP count (i.e. *not* vulnerabilities in the Windows kernel):
        HTML help, Support Center, zip utility, Microsofts Java VM (yes, they distributed a Java VM back in the day), RDP/Terminal services, script engine, Shell, Media Player, HTML converter, NetMeeting, DirectX, Microsoft Data Access Components, ListBox and other GUI controls, Internet Explorer, IIS, SMTP service, Firewall, Indexing Service, Telnet client, Microsoft Agent, Step-by-Step Interactive Training Vulnerability. Even Flash Player was included with the first version of Windows XP and vulnerabilities of Flash counted towards Windows XP vulnerabilities until taken out.

        But already *before* adding vulnerabilities equivalent software, Linux has experienced more vulnerabilities than good old Windows XP. During a period which is more than 2 years shorter.
        honeymonster
      • Linux updates

        @honeymonster

        Likewise, Windows XP generally does not include driver updates for most third party hardware, whereas the Linux kernel does. That's the reason why the Linux kernel source is so huge despite the fact that it is only a small component of a running computer. And a single computer only uses a small fraction what goes into the Linux kernel source, so the odds that a single kernel patch affects your computer is pretty slim.

        But pissing match aside, I would say that in the last 5 years both operating systems have done as well as can be expected on the security front.
        Michael Kelly
      • @honeymonster , 2.6.27,3[245] and 3.*

        Linux v3.* is only several months old and is a continuation of the 2.6 trunk. It's just a revirsioning of 2.6*. So it is more fair then to compare it against Windows Vista/7/8, Sever and phone.
        eulampius
      • honeymonster

        It's good to see you not taking into account third party software this time, however your example is still very misleading because each Kernel in the 2.6 tree (2.6.0 through to 2.6.39) is a new Kernel, which adds new features, new drivers etc... where as XP is frozen in time (bar security updates)

        But while you are at Secunia maybe you should take a look at how many unpatched vulnerabilities windows 7 has, and the severity rating they have, and how long they have been unpatched for.
        guzz46
      • Updates

        [i]Doesn't Linux, Mac and Unix all require updates for critical components and services?[/i]

        Yes they do. But they still aren't the swiss cheese Windows is.
        ScorpioBlack
      • Windows had the lowest vulnerability count

        [i]Since when?[/i]

        Since @ye told us. ;)
        ScorpioBlack
      • Look at all the ABMers trying to defend Linux vulnerability counts.

        Using every excuse in the book to dismiss the higher counts in Linux. You can't write better comedy.
        ye
      • ye says it's so

        So that must make it so. ;)

        Besides, what do you care? You don't even use Linux anyway.

        [i]Using every excuse in the book to dismiss the higher counts in Linux. You can't write better comedy.[/i]

        A vulnerability is not the same as an exploit. I'm not really worried about it.

        Unlike our favorite Microsoft fanboy here spreading Fear, Uncertainty & Doubt.
        ScorpioBlack
      • Since @ye told us

        Ahh yes I forgot, ye is an expert in these matters, so much so that he doesn't need to post evidence backing up his claims, his written word is enough.
        guzz46
      • ye is a hypocrite

        He always demands that others substantiate everything with references, but those rules don't apply to him. Typical.
        rahbm
    • Try making bug free code sometime . . .

      "Why can't Apple or MS make an OS that just works?"

      Try making a few lines of bug free code yourself sometime . . .

      . . . and multiply the number of bugs you end up with by about a million.
      CobraA1
      • Oh, trust me, I know

        I am just reminded about how we are usually inundated by comments about how these patches prove that MS can't make an OS that works. The timing was just too perfect considering I have to update my iOS devices, again, the same day I have to update my Windows computers.
        toddbottom3
      • Dear toddy, you don't fool us for a moment

        Do you [i][b]honestly[/i][/b] expect us to believe you would ever even own, let alone buy, an Apple device? You would rather die.
        rahbm