I don't write about Microsoft's Patch Tuesday very often because it happens every month and, while they fix important vulnerabilities, most consist of routine maintenance issues or small fixes. Every so often, however, Patch Tuesday is a big deal and that appears to be the case with this month's edition. This month, Microsoft patched critical flaws in both Internet Explorer (IE) and Windows - a Remote Desktop Protocol (RDP) update.
As Kaspersky Lab's Kurt Baumgartner pointed out in a blog post:
RDP is not enabled by default on Windows systems, but exposure to this month's remote code execution vulnerability is a problem for many businesses around the world, as the recent activity from the Morto worm demonstrated. Updating systems with MS12-036 is a priority - including Windows 2003 installs and up to the Server Core installation of Windows Server 2008 R2 for x64-based Systems Service Pack 1. It's rated critical, and most versions of Windows server OS are vulnerable not only to DoS attacks, but remote code execution.
The MS12-037 update for IE 6, 7, 8 and 9 is also labeled critical, as it addresses several vulnerabilities in the browser, including some that were brought to light during a hacking competition. Marcus Carey, security researcher at Rapid7, said that this may be the most critical of all of the patches and should be the number one priority for both enterprise and consumers to fix. Without the patch, users are at a greater risk of drive-by downloads and attacks.
Carey also noted that there was a change in the Patch Tuesday lineup:
Microsoft was supposed to patch important vulnerabilities related to Microsoft Office and Visual Basic with MS12-039. Instead, MS12-039 has been changed to update Microsoft Lync, formerly Microsoft Office Communicator. MS12-039 should only affect enterprise customers, although it is uncertain how large the actual deployment is of Microsoft Lync in enterprises. As a result of this change, organizations should also be on high alert as usual because Microsoft since pulled fixes for Microsoft Office related to Visual Basic. In reality we should always be wary of suspicious documents and attachments.
For as many patches as there are this month (I've seen numbers that list the updates at between 26 and 29), it doesn't look like Microsoft caught everything. I was expecting some response regarding the Flame incidents and the news that a counterfeit digital certificate in Microsoft led to the malware being spread. There was no actual patch for that this month, but eSecurity Planet pointed out:
To help mitigate the risks of other potentially bad certificates, Microsoft is now issuing an updater for Windows Vista and Windows 7 to remove untrusted certificates.
Also, Google found that there is an unpatched vulnerability in Microsoft XML Core services. Google Security Engineer Andrew Lyons wrote:
We discovered this vulnerability - which is leveraged via an uninitialized variable - being actively exploited in the wild for targeted attacks, and we reported it to Microsoft on May 30th. Over the past two weeks, Microsoft has been responsive to the issue and has been working with us. These attacks are being distributed both via malicious web pages intended for Internet Explorer users and through Office documents. Users running Windows XP up to and including Windows 7 are known to be vulnerable.
It looks like July's Patch Tuesday could be a big-deal event, as well. At the very least, it is encouraging that the company is staying on top of the vulnerabilities and is working to resolve them. So it is up to us on the user end to make sure we either get the automatic updates or we remember to click on the Windows update icon when it alerts us that an update is available. They can be easy to ignore and time consuming to download if it is a busy Patch Tuesday, but the time it takes to download is much better than the alternative of having an infected machine.