Assessing risk for the December 2012 security updates
Today we released seven security bulletins addressing 12 CVE’s. Five of the bulletins have a maximum severity rating of Critical, and two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max XI | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS12-077(Internet Explorer) |
Victim browses to a malicious webpage.
|
Critical
|
1
|
Likely to see reliable exploits developed within next 30 days.
|
Internet Explorer versions 6, 7, 8 offered this update only to block a defense-in-depth attack vector whereby an attacker could convince a victim to trigger a XSS vulnerability by copy-pasting JavaScript into the URL field.
|
| MS12-079(Word) |
Victim opens a malicious RTF file attachment or previews a rich text email in the Outlook preview pane with Word set as default viewer, resulting in potential code execution in the context of the logged-on user.
|
Critical
|
1
|
Likely to see reliable exploits developed within next 30 days.
|
Reading email in plaintext mitigates the potential Outlook Preview Pane attack vector.
|
| MS12-081(Windows File Handling) |
Victim navigates to a malicious WebDAV or SMB share and encounters a maliciously-crafted Unicode filename.
|
Critical
|
1
|
Likely to see reliable exploits developed within next 30 days.
|
|
| MS12-078(Windows font drivers - ATMFD & win32k.sys) |
Most likely attack vector is an attacker who is already running code on a machine leverages vulnerability to elevate from low-privileged account to SYSTEM.
|
Critical
|
1
|
Likely to see an exploit released granting a local attacker SYSTEM level access.
|
One of the two CVE’s usable for denial-of-service only. The other (CVE-2012-4786) could potentially be embedded in either an Office document or a PDF file.
|
| MS12-080(Oracle Outside In for Exchange) |
Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page.
|
Critical
|
1
|
Likely to see reliable exploits developed within next 30 days.
|
Oracle Outside In process runs at a lower privilege level, LocalService. For more background information, please see this SRD blog post.
|
| MS12-082(DirectPlay) |
Victim opens a malicious Office document having an embedded ActiveX control, resulting in potential code execution in the context of the logged-in user.
|
Important
|
2
|
Will be difficult to build a reliable exploit for this vulnerability. Less likely to see consistently working exploit code in the next 30 days.
|
|
| MS12-083(IP-HTTPS Security Feature Bypass) |
Attacker having a legitimately issued but hence revoked computer certificate able to establish a DirectAccess tunnel to gain access to a corporate Intranet.
|
Important
|
N/A
|
Not Applicable - Security Feature bypass only with no direct code execution potential.
|
This attack is only possible after attacker obtains a revoked computer certificate that is trusted by the IP-HTTPS server.
|
- Jonathan Ness, MSRC Engineering