Microsoft released nine security bulletins today addressing 26 vulnerabilities in its products.
Five of the bulletins are rated ‘critical’, and cover issues in Windows, Internet Explorer, Microsoft SQL Server, Microsoft Exchange, Server Software and Developer Tools. From a priority standpoint, Microsoft recommended organizations deploy three critical updates first – MS12-060, MS12-052 and MS12-054.
“At the top of the Microsoft list is another MSCOMCTL-related bug,” said Andrew Storms, director of security operations at nCircle.
Storms was referring to MS12-060, which addresses a vulnerability in Windows common controls that could enable remote code execution through drive-by downloads.
“There is some good news this month—that the attack vector associated with the MSCOMCTL patch is an RTF file—and the victim has to explicitly open the file to allow the exploit,” he said. “If you can’t get this patch rolled out or mitigation applied quickly, you should remind users about the dangers of opening attachments from unknown persons.”
MS12-052 addresses four vulnerabilities affecting Internet Explorer. None of them are known to be under attack, however successful exploitation via drive-by downloads could result in remote code exaction. Like MS12-052, MS12-054 also addresses four vulnerabilities, though in this case in Microsoft Windows. The most severe of the bugs could enable an attacker to remotely execute code if the attackers send a specially-crafted response to a Windows print spooler request.
“MS12-054 contains a sprint spooler bug with a potentially wormable condition, Storms said, meaning attackers are going to focus carefully on the vulnerability “to uncover all of its potential.”
“This is something that predominately affects small business and campus locations where Windows computers are configured in workgroups,” he said. “If this describes your business, deploy this patch as soon as you can.”
The other two critical bulletins deal with vulnerabilities in Microsoft Exchange Server WebReady Document Viewing and the Remote Desktop Protocol. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system, and systems that do not have RDP enabled are not at risk, according to Microsoft.
The remaining bulletins are rated ‘Important’ and address issues in Windows and Office.
In the video below, Qualys CTO Wolfgang Kandek and Amol Sarwate, vulnerability labs director at Qualys, discuss the Microsoft Patch Tuesday release for August 2012, along with other updates released by Adobe.