Patch Tuesday: Microsoft raises alert for dangerous IE, Windows flaws

Patch Tuesday: Microsoft raises alert for dangerous IE, Windows flaws

Summary: Microsoft expects to see exploit code targeting at least one of the vulnerabilities within the next 30 days.

TOPICS: Security

Microsoft today warned that cyber-criminals could soon aim exploits at critical security flaws in Internet Explorer browser and Windows to hijack and take complete control of vulnerable machines.

The warning comes as part of this month's Patch Tuesday where Microsoft released 7 bulletins with fixes for at least 26 documented vulnerabilities affecting the Windows ecosystem.

The company is urging users to pay special attention to MS12-037 and MS12-036, which provides cover for "remote code execution" vulnerabilities that could be used in worm attacks and drive-by downloads without any user interaction.

MS12-037, which affects all supported versions of the IE browser, fixes 13 vulnerabilities that expose users to computer hijack attacks if a user simply surfed to a rigged web site.  Microsoft expects to see exploit code targeting at least one of the vulnerabilities within the next 30 days.follow Ryan Naraine on twitter

The company warned that information on one of the browser flaw is already publicly available which means that hackers have already gotten a head start on preparing attacks.

Exploit code published for RDP worm hole; Does Microsoft have a leak? ]

The second high-priority bulletin is MS12-036, which covers a dangerous flaw in the way Microsoft implements the Remote Desktop Protocol (RDP) in Windows. "Attack vectors for this issue include maliciously crafted websites and e-mail," the company warned.

This is the second major RPD flaw haunting Windows in the space of a few months.

According to Marc Maiffret, CTO at BeyondTrust, the Internet Explorer and RDP issues present the "more immediate exploitable threats."

"Given the value of Remote Code Execution on RDP there will surely be a lot of folks trying to weaponize that vulnerability. Only time will tell if people are successful with this RDP flaw where they were not with the one in March," Maiffret added.

Windows users and administrators will also want to treat the MS12-038 bulletin with the highest possible priority.  From the bulletin:

This security update resolves one privately reported vulnerability in the Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions.

Microsoft also expects to see exploit code for this vulnerability within the next 30 days.

In addition to the security bulletins, Redmond's security response team is also releasing an automatic updater feature for Windows Vista and Windows 7 untrusted certificates.

The new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted.

With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update. This new automatic update mechanism, which relies on a list of untrusted certificates known as a Disallowed Certificate Trust List (CTL), is detailed on the PKI blog. We encourage all customers to install this new feature immediately.

In August, Microsoft is also planning to release a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length. "Once this key length update is released, we will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority," Microsoft explained.

These changes follow the incredible discovery that attackers with nation-state backing hacked the Windows Update utility to spoof certificates and spread the Flame malware within Windows networks.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • These news are so common

    You can say the sole act of having Windows and using IE is a vulnerability. Every day MS is launching updates for some random vulnerability. In OSS might be diferent but well, this just became one of the MS ways to make money with IT security companies through NDAs.
    • Re: These.......

      To quote you"Every Day MS..... Gee, at least they do it every day. NOT like another OS who only does it about every 3 months and only after they've been called on the carpet by numerous articles. Name left intentionally out!
    • Exaggerate Much?

      Security updates are sent out once a month on the second Tuesday, non security updates are sent out on the fourth Tuesday of the month....with an occasional out of band security 2-3 times a year.
      Doctor Demento

    Microsoft Windows is utter garbage. It is only a matter of time before the world realizes that they don't need it, it's expensive and gums of the works of any enterprise or home computer.
    • The long goodby

      These "vulnerabilities" are so unnecessary. Windows need to be rewritten from scratch.
      • Every piece of software has vulnerabilities

        without fail.

        Every single one.
        Michael Alan Goff
      • Every piece of software has vulnerabilities

        That's usually the excuse you hear from windows fanboy's, they totally dismiss the severity and number of vulnerabilities.

        Not all software is created equal.
      • Windows 8..

        ... IS basically a re-write from scratch.
      • If I was a Windows fanboy

        wouldn't I be using my Windows 8 install a majority of the time instead of Beefy Miracle?

        Find me a piece of software without the need for patches. I'll wait.
        Michael Alan Goff
      • Every piece of software has vulnerabilities???

        Well Duhhhhhhh.... Thank you Captain Obvious!!!

        And the more software that resides on any system, the more vulnerable it is... And if the OS is poorly designed cr@p, it's even more vulnerable... But all of that belongs under the category of common sense, not profound revelation.
      • Apparently it wasn't so obvious.


        As we have a number of people making posts as if Windows was the only piece of software which has vulnerabilities.
      • using my Windows 8 install a majority of the time instead of Beefy Miracle?

        Good for you, however the comment "Every piece of software has vulnerabilities" is still a windows fanboy comment, like ye, just ignore the sheer number and severity of them all, it's a bit like saying it rains everywhere, but some places get a whole lot more rain than others.
      • It was already shown Windows has less.


        [i]...just ignore the sheer number and severity of them all...[/i]

        Yet here you are continuing to argue it has more. As for severity you have yet to demonstrate Windows vulnerabilities are more severe than other operating systems. But go ahead, keep making these foolish claims. No one is buying least no one who isn't in your choir.
      • It was already shown Windows has less

        Oh really? and where does it show that by the way? please post your proof, I hope you aren't talking about Secunia, where they list every piece of software in a Linux distro's repo as a Linux vulnerability.
        And by the way while you are there take a look at windows 7, you will find it still has 5 unpatched vulnerabilities, one is rated as highly critical (from remote) it was discovered on 2010-10-29 and is still unpatched, why? does microsoft just not care?

        All you have to do is take note of phrases like this "to hijack and take complete control of vulnerable machines" those words always seem to pop up on patch Tuesday, and google this "90 percent of Windows 7 flaws fixed by removing admin rights" yes that's right, it's 2012 and windows still doesn't use a proper standard user account.
        These aren't foolish claims, they are plain facts, like it or not.
    • Expensive?

      Seriously? Expensive? Lets see...The lowest cost Windows machine is $499, with it comes Windows 7 Home Premium. You get the Microsoft SE AV program which is free from Microsoft. Your system will receive updates for the next 10 years. Total cost $499
      The lowest cost Apple Machine is $999. You get Lion installed. You need to update your system every two years at an additional cost of $20 to keep receiving security updates and patches. Total cost over two years $1099. No anti virus is needed (depends on who you ask).
      If you want to compare same hardware the cost of a Windows machine will come in at $749 against Apple's $999.
      From a pure consumer perspective Microsoft is cheaper.
      • $499? I paid $299 for my HP System

        Quad core, 8GB of RAM, 750GB HD, Lighscribe DVD, USB 2.0, FW, card reader, etc. And that was a few years ago. Micro Center has inexpensive laptops starting at $299 today.
      • $499? I paid $299 for my HP System

        Yeah, they're junk. You get what you pay for.
  • Windows 8 will dominate .. with amount of Malware that is.

    Fortuanately for users they will be appaled by it's uselessness that they will be spared.
  • Anti-Vulnerability Switch

    I've just found out that every computer known to man has a built-in Anti-Vulnerability Switch, if you press it then you are guaranteed to never get infected by any virus, worm, or any other kind of malware.

    It's labeled "Power".

    Get real people, vulnerabilites and exploits are inherent in any piece of software involving millions of lines of code. It's the times we live in, get over it. Most Windows vulnerabilities are being exploited by targeting third-party apps like Flash, the core Windows OS is pretty much safe. It's safer that ***X OSs; if there were as many of those systems in the wild as Windows systems, ***X hacks would be an epidemic. Run Windows Update, keep up with your third-party updates, and the chances that you are going to be a victim of the latest and greatest hack is very slim.
  • IT will not tell you when this happens.

    Automatic Windows updates enabled will eventually allow AI to infect every connected Windows machine, simultaneously. IT will not tell you when this happens; you will notice your plastic is rejected and your bank balance shows negative. Reading about cyber war casualties after the fact is preferable to being one of them. IE is useful for real time monitoring of windows updates, on Wednesday; so if the SHTF, updates won't work.