Microsoft released a total of seven new security bulletins for May’s Patch Tuesday. Four are rated as Important, and the other three are Critical, but two in particular are getting the most attention: MS12-034 and MS12-029.
MS12-034 fixes 10 separate vulnerabilities spanning a range of Microsoft products including Windows, Office, .NET Framework, and Silverlight. It’s unusual for Microsoft to lump so many products together in a single security bulletin or patch.
Wolfgang Kandek, CTO of Qualys, provides some background to explain the unusual patch in a blog post. MS12-034 is the result of an effort by Microsoft to seek out other products using the same flawed code exploited by Duqu. This patch knocks out all of the other instances, and addresses a variety of other security issues in the affected products at the same time.
Andrew Storms, director of security operations for nCircle, isn’t impressed by the bundled patch. Storms says, “The core of this bug fix is related to the vulnerabilities leveraged by Duqu--a problem Microsoft fixed last year--so this bulletin also replaces a half dozen previously released bulletins. This is going to give the patch management folks some serious heartburn.”
Tyler Reguly, technical manager security research and development at nCircle agrees. “MS12-034 is sheer craziness—it’s going to be the most interesting and most painful part of the day for most IT security teams. There are multiple Office and .NET patches due to the overlap of products in this bulletin.
Storms recommends IT admins not spend too much time scratching their heads analyzing or trying to understand MS12-034. “Just install the patch as soon as you can, and then move on.”
As urgent as MS12-034 is, MS12-029 is also crucial. Kandek explains, “The bulletin provides a patch for a vulnerability in the RTF file format that can be exploited through Microsoft Office 2003 and 2007. It is rated critical because simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit.”
Of course, the rest of the security bulletins and patches should be addressed as well. The remaining five security bulletins fix flaws related to elevation of privileges and remote code execution, and should not be ignored or taken lightly.
Prioritize implementing the updates in MS12-034 and MS12-029, but be sure to review the other security bulletins and apply the patches as soon as possible.