This week, Microsoft released seven bulletins fixing twenty-three vulnerabilities on Patch Tuesday. Three of the bulletins are rated as ‘critical,’ which could lead to remote code execution, whereas the remaining four are rated as ‘important.’
The first critical bulletin resolves a privately reported bug in Microsoft Office through which an attacker could remotely execute code after the user opens a specially crafted RTF file. The second patch resolves three publicly disclosed bugs and seven privately disclosed ones in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework, and Microsoft Silverlight. These could also lead to remote code execution if an attacker can find a way to trick users into opening a specially crafted document or visiting a webpage that embeds TrueType font files.
The set of vulnerabilities fixed by the MS12-034 patch is designed to fix one of the vulnerabilities exploited by the Duqu malware. Microsoft had already patched that bug in other applications, but in the last few months, engineers discovered that a snippet of code in the CVE-2011-3402 vulnerability was present in other places in Microsoft products.
In a recent blog post, Microsoft writes, “In the time since we shipped MS11-087, we discovered that several Microsoft products contained a copy of win32k.sys’s font parsing code. Unfortunately, each copy of the code also contained the vulnerability addressed by MS11-087. The most troublesome copy was in gdiplus.dll. We know that several third party applications – 3rd party browsers in particular – might use gdiplus.dll to parse and render custom fonts. Microsoft Office’s version of gdiplus, called ogl.dll, also contained a copy of the vulnerable code. Silverlight included a copy of the vulnerable code. And the Windows Journal viewer included a copy of the vulnerable code.
“In addition to addressing the vulnerabilities described in the bulletin, this security update also closes the malicious keyboard layout file attack vector. Windows Vista introduced a requirement that all keyboard layout files be loaded from %windir%\system32. MS12-034 ports that change down level to Windows XP and Windows Server 2003 as well.” (Find Microsoft’s TechNet blog summary here).
The last ‘critically’ rated patch fixes two privately reported vulnerabilities in Windows and the .NET Framework. These could allow for remote code execution on client systems where the user views a specially crafted webpage that can run XAML browser applications. Again, users with fewer rights are less impacted.
Within the four ‘important’ patches remaining, the first resolves six vulnerabilities in Microsoft Office and the second resolves a vulnerability in Microsoft Visio Viewer. Both vulnerabilities, if left unpatched, could lead to remote code execution. The last two important patches could both lead to elevation of privileges. The first resolves two bugs in TCP/IP and the second resolves vulnerability in Windows Partition Manager.