Microsoft Patches XML Flaw Under Attack and 15 More Vulnerabilities

Microsoft released nine security bulletins, including updates to patch an XML flaw actively under attack, and vulnerabilities in IE 9.

It's the second Tuesday in July, and you know what that means: it's Microsoft Patch Tuesday. Today, Microsoft released nine new security bulletins as predicted in the advance notice last week. Some updates are more urgent than others, though, so we turn to security experts for insight and analysis to help guide your patching efforts.

Of the nine security bulletins, three are rated as Critical while the remaining six are ranked as merely Important. Of course, Important still suggests a sense of urgency that shouldn't be ignored.

The three Critical bulletins address the vulnerability in Windows XML core services, and flaws in Internet Explorer 9 and Microsoft Data Access Components (MDAC). The Important updates fix a range of issues affecting Windows, Office, Office for Mac, and SharePoint.

Qualys CTO Wolfgang Kandek states in a blog post, "Of the three bulletins rated critical, the top priority goes to MS12-043 that addresses the MSXML vulnerability, which has been under attack for the last 30 days."

Andrew Storms, director of security operations for nCircle, agrees. Storms notes that the XML flaw is already included in a variety of exploit toolkits, and attacks are circulating in the wild. Storms adds, "If you are paying close attention, you'll notice that the XML version 5 patch for the bug isn't shipping today. The fix for this version is probably not ready yet, so Microsoft decided to deliver the other patches. So far, all the attacks in the wild utilize XML version 3, so this release, even though not totally complete, seems like a no-brainer."

Marc Maiffret, co-founder of eEye Digital Security and now CTO at BeyondTrust, points out, "Internet Explorer 9 is not only the "faster browser" this month but the fastest way to get you owned. MS12-044 specifically covers a critical vulnerability that affects only Internet Explorer 9."

Maiffret finds it interesting that both MS12-043 and MS12-044 (the patches for XML and IE9) also affect the Windows 8 Release Preview. He stresses that we don't really know if an exploit would be as straightforward on the new OS given new and improved security controls, but notes the fact that two out of nine security bulletins also affect the upcoming flagship OS may be a harbinger of things to come.

"Of the Important bulletins, MS12-046 and MS12-048 should be next on everyone's "Must Patch" list," according to Marcus Carey, a security researcher with Rapid7. Carey adds, "MS12-046 and MS12-048 can both exploit victims who navigate to malicious WebDAV or SMB shares and opens malicious files in the malicious directory. These two bulletins are primed for spear phishing attacks."

As with every Patch Tuesday, the prioritization of updates, and the degree of urgency with which the patches are implemented will vary from one organization to the next. Examine the Microsoft security bulletins, and install the updates that affect your systems as soon as possible.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts