Original URL: http://www.theregister.co.uk/2012/12/12/dec_patch_tuesday/
Microsoft Santa gifts you with 5 critical fixes in Xmas Patch Tuesday
Still using Word? You'll want to read this
Posted in Security, 12th December 2012 17:02 GMT
Watch Now : Virtual Machine Movement with Hyper-V
December's Patch Tuesday brought seven bulletins from Microsoft, five of which cover critical security vulnerabilities.
A critical update for MS Word (MS12-079) is rated by security watchers as the most important of the batch. A flaw in Rich Text Format (RTF) processing poses a severe risk because Microsoft Outlook automatically displays the malicious text in the Preview Pane - without requiring user interaction.
Another critical update (MS12-077) tackles security bugs in Internet Explorer 9 and 10, and creates a risk of drive-by download attacks involving tricking users into visiting websites contaminated with malicious code.
A further critical update fixes a vulnerability in Windows file-handling component while the remaining items on the critical list grapple with vulnerabilities in Windows kernel-mode drivers involving font handling and security bugs in Microsoft Exchange, arising from the inclusion of buggy versions of Oracle Outside In file conversion software.
A graphical overview of the patches can be found in a post by the SANS Institute's Internet Storm Centre blog here [1]. Microsoft's bulletin is here [2].
Trustwave SpiderLabs has written a blog post [3] comparing this week's patch batch to different brands of beer. IE updates are compared to Guinness Draught while the remote code execution in kernel-mode drivers is racked alongside 120 Minute IPA.
Microsoft also used Patch Tuesday to publish a new whitepaper [4] on defensive techniques against "Pass the Hash" attacks. "Pass the Hash" is a technique used by attackers after the initial exploit, in which they use the stored password hashes to gain access to other machines in a local network. Such stepping stone attacks are standard network hacking practice, so defending against them using better configuration practices makes a lot of sense.
The seven bulletins in December bring the total count for 2012 to 83, a significant reduction on the 100 bulletins in 2011 and even more from the 2010 count, which ended with 106 bulletins.
Adobe recently began co-ordinating its security patch releases with Microsoft's output. Tuesday offered security updates to Adobe ColdFusion 10 (and earlier) and Flash Player. The Flash update [5] is configuration dependent, but can be critical, while the Cold Fusion security patch [6] is given the lower status of "important". ®
Links
- https://isc.sans.edu/diary/Microsoft+December+2012+Black+Tuesday+Update+-+Overview/14683
- http://technet.microsoft.com/en-us/security/bulletin/ms12-dec
- http://blog.spiderlabs.com/2012/12/microsoft-patch-tuesday-december-2012-99-bottles-of-beer-on-the-wall-the-head-of-trustwave-spiderlabs-nicholas-per.html#more
- http://blogs.technet.com/b/security/archive/2012/12/06/new-guidance-to-mitigate-determined-adversaries-favorite-attack-pass-the-hash.aspx
- http://www.adobe.com/support/security/bulletins/apsb12-27.html
- http://www.adobe.com/support/security/bulletins/apsb12-26.html