Ad: Manage updates with the Download App
ie8 fix

Spyware, viruses, & security forum: Microsoft Security Bulletin Summary for June 2012

by: Carol~ June 12, 2012 10:20 AM PDT

Like this

0 people like this thread

Staff pick

Microsoft Security Bulletin Summary for June 2012

by Carol~ Moderator - 6/12/12 10:20 AM

Microsoft Security Bulletin Summary for June 2012

Published : June 12, 2012

Microsoft released 7 new security updates today, as part of their routine monthly security update cycle. As indicated below, three (3) are identified as critical and four (4) as Important.

The bulletins address 26 vulnerabilities in Microsoft Windows, Internet Explorer, Visual Basic for Applications, Dynamics AX, and the .NET Framework. In addition to the security bulletins, Microsoft is releasing an automatic updater feature for Windows Vista and Windows 7 untrusted certificates. (See "Certificate Trust List update and the June 2012 bulletins" in the following post)

Microsoft also released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Critical: 3

MS12-036 - Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)
MS12-037 - Cumulative Security Update for Internet Explorer (2699988)
MS12-038 - Vulnerability in .NET Framework Could Allow Remote Code Execution (2706726)

Important: 4

MS12-039 - Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)
MS12-040 - Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100)
MS12-041 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)
MS12-042 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)

Security Bulletin : http://technet.microsoft.com/en-us/security/bulletin/ms12-jun


Reply
Report offensive post
Email to friend

Certificate Trust List update and the June 2012 bulletins

by Carol~ Moderator - 6/12/12 10:27 AM

In Reply to: Microsoft Security Bulletin Summary for June 2012 by Carol~ Moderator

Angela Gunn @ the Microsoft Security Response Center blog:

For Update Tuesday we're releasing seven security bulletins - three Critical-class and four Important - addressing 26 unique CVEs to further improve the security postures of Microsoft Windows, Internet Explorer, Dynamics AX, Microsoft Lync, and the Microsoft .NET Framework. In addition to the security bulletins, we are releasing an automatic updater feature for Windows Vista and Windows 7 untrusted certificates.

This new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted. With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update. This new automatic update mechanism, which relies on a list of untrusted certificates known as a Disallowed Certificate Trust List (CTL), is detailed on the PKI blog. We encourage all customers to install this new feature immediately.

Adding to our defense-in-depth measures, in August, we will release a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length. Once this key length update is released, we will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority. We're announcing this now to allow folks time to make needed adjustments. Further information on this change can be found on the PKI blog.

Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing on the following two Critical updates first:

MS12-037 (Internet Explorer): This security update addresses 13 issues affecting all supported versions of IE. The maximum severity for these issues is Critical and could result in remote code execution. To ensure protection all updates from this bulletin must be applied. We recommend that customers read through the bulletin information concerning MS12-037 and apply it as soon as possible.

MS12-036 (RDP): This security update addresses one Critical issue affecting all supported versions of Microsoft Windows that could result in remote code execution. Attack vectors for this issue include maliciously crafted websites and email. We recommend that customers read through the bulletin information concerning MS12-036 and apply it as soon as possible.

We're also issuing Security Advisory 2719615 today. It includes information on and mitigations for a recently disclosed Remote Code Execution issue involving MSXML Core Services, which is part of Windows and other products. Our investigation is still underway, but we have already developed an effective workaround that stops would-be attackers from taking advantage of the issue via Internet Explorer. We're pleased to offer it as an easy-to-deploy, no-reboot-required Fix it in Security Advisory 2719615 for anyone who, after reading about the issue, believes they might be at risk.

Continued : http://blogs.technet.com/b/msrc/archive/2012/06/12/certificate-trust-list-update-and-the-june-2012-bulletins.aspx


Was this reply helpful? (1)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Security Advisory 2719615

by Carol~ Moderator - 6/14/12 10:56 AM

In Reply to: Microsoft Security Bulletin Summary for June 2012 by Carol~ Moderator

Cristian Craioveanu @ the "Security Research & Defense" TechNet Blog:

MSXML: Fix it before fixing it

Microsoft has released Security Advisory 2719615, associated to a vulnerability in Microsoft XML Core Services. We want to share more details about the issue and explain the additional workarounds available to help you protect your computers.

Information about the vulnerability

A vulnerability exists in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 that could be exploited if a user views a specially crafted webpage using Internet Explorer. The issue is triggered when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. This class of vulnerability is exploitable by preparing both stack and heap memory with attacker-controlled data before the invalid pointer dereference.

Which workarounds should you apply?

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted web page. The vulnerability can be triggered only through the use of Active Scripting, so the following standard workarounds still apply:

• Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX controls and Active Scripting in these zones.
• Restrict Web sites to only your trusted Web sites.

We consider these, together with disabling MSXML ActiveX controls, to be too disruptive to the Internet Explorer browsing experience to be considered practical for wide adoption. At the same time, we know this vulnerability is actively exploited in the wild for targeted attacks. In such situations, we offer guidance and workarounds in a Security Advisory, in order to protect customers as fully as possibly while we prepare the necessary security update.

In order to assure the safety of our customers during this time, we created a new workaround in the form of a Microsoft "Fix it" package that uses the Windows application compatibility toolkit to make a small change at runtime to either of msxml3.dll, msxml4.dll or msxml6.dll every time Internet Explorer is loaded. This change causes Internet Explorer to initialize the previously uninitialized variable which is at the root of the vulnerability.

You can apply this workaround by running the Microsoft Fix it 50897 from the link below. For enterprise deployment, please refer to Knowledge Base article 2719615, section "Deploying an application compatibility database across multiple computers".

Continued : http://blogs.technet.com/b/srd/archive/2012/06/13/msxml-fix-it-before-fixing-it.aspx


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Forum Icon Legend

  • UnreadUnread
  • ReadRead
  • Locked threadLocked thread
  •   
  •   
  •   
  •   
  •   
  •   
  •   
  • ModeratorModerator
  • CNET StaffCNET Staff
  • Samsung StaffSamsung Staff
  • Norton Authorized Support TeamNorton Authorized Support Team
  • AVG StaffAVG Staff
  • avast! Staffavast! Staff
  • Webroot Support TeamWebroot Support Team
  • Acer Customer Experience TeamAcer Customer Experience Team
  • Windows Outreach TeamWindows Outreach Team
  • DISH staffDISH staff
  • Dell StaffDell Staff
  • Intel StaffIntel Staff
  • QuestionQuestion
  • Resolved questionResolved question
  • General discussionGeneral discussion
  • TipTip
  • Alert or warningAlert or warning
  • PraisePraise
  • RantRant

You are e-mailing the following post: Post Subject

Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipient's address will be used for any other purpose.

Sorry, there was a problem emailing this post. Please try again.

Submit Email Cancel

Thank you. Sent email to

Close

Thank you. Sent email to

Close

You are reporting the following post: Post Subject

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Sorry, there was a problem submitting your post. Please try again.

Submit Report Cancel

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

You are posting a reply to: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.

Submit Reply Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close