Microsoft October 2012 Black Tuesday Update - Overview
Overview of the October 2012 Microsoft patches and their status.
# | Affected | Contra Indications - KB | Known Exploits | Microsoft rating(**) | ISC rating(*) | |
---|---|---|---|---|---|---|
clients | servers | |||||
MS12-064 | Remote Code Execution Vulnerability in Microsoft Word (ReplacesMS12-029 MS10-079 MS12-050 ) |
|||||
Word CVE-2012-0182 CVE-2012-2528 |
KB 2742319 | No. | Severity:Critical Exploitability: 1 |
Critical | Important | |
MS12-065 | Remote Code Execution Vulnerability in Microsoft Works (ReplacesMS12-028 ) |
|||||
Works CVE-2012-2550 |
KB 2754670 | No. | Severity:Important Exploitability: 2 |
Critical | N/A | |
MS12-066 | Elevation of Privilege Vulnerability via XSS in HTML Sanitation Component (ReplacesMS12-039 ) |
|||||
HTML Sanitation" CVE-2012-2520 |
KB 2741517 | Yes (limited). | Severity:Important Exploitability: 1 |
Important | Important | |
MS12-067 | Oracle outside/in and advanced filter pack for FAST Search Server Code Execution Vulnerabilities |
|||||
FAST Search Server 2010 (SharePoint) CVE-2012-1766 CVE-2012-1767 CVE-2012-1768 CVE-2012-1769 CVE-2012-1770 CVE-2012-1771 CVE-2012-1772 CVE-2012-1773 CVE-2012-3106 CVE-2012-3107 CVE-2012-3108 CVE-2012-3109 CVE-2012-3110 |
KB 2742321 | Yes. | Severity:Important Exploitability: 1 |
Important | Critical | |
MS12-068 | Privilege Escalation in Windows Kernel (ReplacesMS09-058 MS10-021 MS11-068 MS11-098 MS12-042 ) |
|||||
Kernel CVE-2012-2529 |
KB 2724197 | No. | Severity:Important Exploitability: 3 |
Important | Important | |
MS12-069 | Denial of Service Vulnerability in Kerberos (ReplacesMS11-013 ) |
|||||
Word CVE-2012-2551 |
KB 2743555 | No. | Severity:Important Exploitability: 1 |
Important | Important | |
MS12-070 | Reflective XSS Vulnerability in SQL Server (ReplacesMS09-062 MS11-049 ) |
|||||
Word CVE-2012-0182 CVE-2012-2528 |
KB 2754849 | No. | Severity:Important Exploitability: 1 |
N/A | Important |
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
My next class:
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
×
Diary Archives
Comments
http://support.microsoft.com/kb/2749655
Add that to the mix or do another diary post, as it makes your head spin a bit.
More here: http://blogs.technet.com/b/srd/archive/2012/10/09/security-advisory-2749655-and-timestamping.aspx
Susan
Oct 9th 2012
1 decade ago
Authenticode is Microsoft's way of digitally signing executable (exe, ocx, etc.) and other (such as cab) files. Optionally the digital signature is timestamped, and that's the issue here.
Quoting from http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/best_practices.doc :
----------------------
Timestamps
Certificates normally expire after a period of time, such as one year. However, software is typically designed to operate for many years. If the certificate that was used to sign the code expires, the signature cannot be validated and the software might not install or run. To avoid this issue, Microsoft recommends that software publishers timestamp their digital signatures.
A timestamp is an assertion from a trusted source, called a timestamp authority (TSA), that the digital signature’s signed hash was in existence when the timestamp was issued. If the signing certificate was valid at that time, Windows considers the signature to be valid even if the certificate has since expired. If a signature is not timestamped, when the certificate used to sign the software expires, the signature simply becomes invalid.
Timestamps also play a role when checking for revoked certificates. If a digital signature was timestamped before the certificate was revoked, the signature remains valid. Timestamping thus allows a company to revoke a certificate and start signing with a new certificate without any risk of invalidating previously signed software applications.
----------------------
From ttp://blogs.technet.com/b/srd/archive/2012/10/09/security-advisory-2749655-and-timestamping.aspx :
"Unfortunately, due to a clerical error, a subset of binaries processed by the PRSS lab between June 12, 2012 and August 14, 2012 were digitally signed in an incorrect manner.
The signing error involved the timestamp placed on each file as it was being signed. The certificate used for timestamping was missing a critical attribute that will cause the digital signature to become invalid at the point in the future when the package’s signing key has expired."
Erik van Straten
Oct 10th 2012
1 decade ago
This does not look to be correct. MS12-69 is Kerberos related and MS12-70 is SQL Server related.
@Rik
Oct 10th 2012
1 decade ago
After conducting some research, I concluded that the Authenticode issue might be caused by a missing "Key usage" extension (marked critical) in the "Microsoft Time-Stamp Service" certificate valid from 2011-07-26 to 2012-10-25 with serial number "61 05 19 96 00 00 00 00 00 1b" (thumbprint "23 4c 7a ea 9c 8c 7e 8c 3f d2 db 39 31 8f a2 ac 99 a7 23 42"), which was used to timestamp recent updates.
Although this certificate has an "Enhanced Key Usage" extension, set to "Time Stamping (1.3.6.1.5.5.7.3.8)", this extension is not marked (tagged) critical. A generic "Key Usage" extension is missing, while none of the other extensions are marked critical.
I had a look at a "VeriSign Time Stamping Services CA" certificate used to timestamp recent Adobe Flash updates, with serial nr. "79 a2 a5 85 f9 d1 15 42 13 d9 b8 3e f6 b6 8d ed". In contrast, that certificate contains the following extensions marked critical:
- Basic Constraints (critical) = Subject Type=End Entity; Path Length Constraint=None
- Key Usage (critical) = Digital Signature (80)
- Enhanced Key Usage (critical) = Time Stamping (1.3.6.1.5.5.7.3.8)
Now I just downloaded "WindowsXP-KB2723135-v2-x86-ENU.exe" (updated MS12-053) and "WindowsXP-KB2723135-v2-x86-ENU.exe" (new MS12-068). Both have been timestamped with "Microsoft Time-Stamp PCA" certificate with serial number "61 02 92 4a 00 00 00 00 00 20" valid from 2012-01-10 upto 2013-04-10 (thumbprint "21 1c 1b a9 c4 31 57 d5 d0 42 93 e5 56 9d 51 f3 c2 40 ed c0").
What I don't understand is that this new certificate is mostly identical to the former Microsoft timestamping certificate; it also doesn't have any critical extensions, and the "Key Usage" extension is also missing!
Compared to the VeriSign cert above the only relevant extension is:
- Enhanced Key Usage (NOT critical) = Time Stamping (1.3.6.1.5.5.7.3.8)
So, either there was nothing wrong with the older Microsoft timestamping certificate (and I don't understand the problem), or Microsoft is just postponing the problem by using a timestamping certificate that expires in April, 2013 instead of this month.
What am I missing here?
Erik van Straten
Oct 10th 2012
1 decade ago
Title: Microsoft Security Bulletin Re-Releases
Issued: October 9, 2012
********************************************************************
Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.
* MS12-043 - Critical
* MS12-053 - Critical
* MS12-054 - Critical
* MS12-055 - Important
* MS12-058 - Critical
Bulletin Information:
=====================
* MS12-043 - Critical
- http://technet.microsoft.com/security/bulletin/MS12-043
- Reason for Revision: V3.0 (October 9, 2012): Added Microsoft
XML Core Services 4.0 when installed on supported editions of
Windows 8 and Windows Server 2012 to affected software and
announced a corresponding detection change for the KB2721691
update package. Customers who have installed Microsoft XML
Core Services 4.0 on systems running Windows 8 or Windows
Server 2012 need to install the KB2721691 update to be
protected from the vulnerability described in this bulletin.
See the update FAQ for details.
- Originally posted: July 10, 2012
- Updated: October 9, 2012
- Bulletin Severity Rating: Critical
- Version: 3.0
* MS12-053 - Critical
- http://technet.microsoft.com/security/bulletin/MS12-053
- Reason for Revision: V2.0 (October 9, 2012): Revised bulletin
to offer the rerelease of the KB723135 update for Windows XP.
Customers need to apply the rereleased update packages to
avoid an issue with digital certificates described in
Microsoft Security Advisory 2749655.
- Originally posted: August 14, 2012
- Updated: October 9, 2012
- Bulletin Severity Rating: Critical
- Version: 2.0
* MS12-054 - Critical
- http://technet.microsoft.com/security/bulletin/MS12-054
- Reason for Revision: V2.0 (October 9, 2012): Revised
bulletin to offer the rerelease of the KB2705219 update
for Windows XP, Windows Server 2003, Windows Vista, Windows
Server 2008, Windows 7, and Windows Server 2008 R2. Customers
need to apply the rereleased update packages to avoid an issue
with digital certificates described in Microsoft Security
Advisory 2749655.
- Originally posted: August 14, 2012
- Updated: October 9, 2012
- Bulletin Severity Rating: Critical
- Version: 2.0
* MS12-055 - Important
- http://technet.microsoft.com/security/bulletin/MS12-055
- Reason for Revision: V2.0 (October 9, 2012): Revised
bulletin to offer the rerelease of the KB2731847 update
for Windows XP, Windows Server 2003, Windows Vista, Windows
Server 2008, Windows 7, and Windows Server 2008 R2. Customers
need to apply the rereleased update packages to avoid an
issue with digital certificates described in Microsoft
Security Advisory 2749655.
- Originally posted: August 14, 2012
- Updated: October 9, 2012
- Bulletin Severity Rating: Important
- Version: 2.0
* MS12-058 - Critical
- http://technet.microsoft.com/security/bulletin/MS12-058
- Reason for Revision: V2.0 (October 9, 2012): Revised bulletin
to offer the rerelease of updates for Microsoft Exchange Server
2007 Service Pack 3 (KB2756496), Microsoft Exchange Server 2010
Service Pack 1 (KB2756497), and Microsoft Exchange Server 2010
Service Pack 2 (KB2756485). Customers need to apply the
rereleased updates to avoid an issue with digital certificates
described in Microsoft Security Advisory 2749655.
- Originally posted: August 14, 2012
- Updated: October 9, 2012
- Bulletin Severity Rating: Critical
- Version: 2.0
Matt
Oct 10th 2012
1 decade ago
From the FAQ in https://technet.microsoft.com/en-us/security/advisory/2749655 :
-------------------------------------
What causes this issue?
This issue is caused by a missing timestamp Enhanced Key Usage (EKU) extension during certificate generation and signing of Microsoft core components and software. Some certificates used for two months of 2012 did not contain an X.509 timestamp Enhanced Key Usage (EKU) extension.
-------------------------------------
Apparently 2 certificates are involved. From http://blogs.technet.com/b/srd/archive/2012/10/09/security-advisory-2749655-and-timestamping.aspx :
-------------------------------------
In addition to re-signing and re-distributing the affected files, we are taking an unusual approach to address this issue at the platform layer. The Windows team has created a package with a modified WinVerifyTrust function that makes a special case of the _two_ known timestamping certificates that were missing the critical attribute. This will enable WinVerifyTrust to continue trusting these files and packages while redistribution completes.
-------------------------------------
See https://technet.microsoft.com/en-us/security/advisory/2749655 for a description of this (kind of scary) patch.
I still don't understand why Microsoft does not follow best practices by including the following extensions -and tagging them critical- in their (timestamping) certificates, just like VeriSign does:
- Basic Constraints (critical) = Subject Type=End Entity; Path Length Constraint=None
- Key Usage (critical) = Digital Signature (80)
- Enhanced Key Usage (critical) = Time Stamping (1.3.6.1.5.5.7.3.8)
Apparently Microsoft does not learn from errors made in the past. Last June Microsoft revoked 3 certificates because Flame could abuse them for other purposes than they were intended for, just because their usage was not restricted by including extensions tagged critical (see https://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx ).
@Matt: I can confirm that none of the older updates you mention are being re-offered on my XP computer. Neither by automatic updates, nor by visiting https://www.update.microsoft.com/
Erik van Straten
Oct 11th 2012
1 decade ago