Internet Explorer 9.0.8; Windows Sidebar and Gadgets Fixt it Now Available; Patches 16 Issues

On Tuesday July 10, Microsoft released nine security bulletins - three of which deemed Critical-class and six Important - addressing 16 issues in Microsoft Windows, Internet Explorer, Visual Basic for Applications, and Microsoft Office.The six bulletins dubbed Important-class issues touching on Windows, Visual Basic for Applications, and Office, including SharePoint and Office for Mac.MS12-043 (Microsoft […]

On Tuesday July 10, Microsoft released nine security bulletins - three of which deemed Critical-class and six Important - addressing 16 issues in Microsoft Windows, Internet Explorer, Visual Basic for Applications, and Microsoft Office.

The six bulletins dubbed Important-class issues touching on Windows, Visual Basic for Applications, and Office, including SharePoint and Office for Mac.

MS12-043 (Microsoft XML Core Services) addresses a issue affecting all supported versions of Windows. The bulletin has a Critical severity rating and the issue can result in remote code execution. Customers using Microsoft Office should also familiarize themselves with this bulletin.

"The security updates for Microsoft XML Core Services 5.0 are unavailable at this time. Microsoft will release the updates when testing is complete, in order to ensure a high degree of quality," informs SRD blog. In the meantime, customers running Microsoft Office 2003 or 2007 are encouraged to apply the automated Microsoft Fix it solution that blocks the attack vector for this vulnerability:

Microsoft Fix it 50908: Apply / Uninstall

The team recommends EMET as a potential mitigation for possible attacks attempting to exploit this vulnerability. "The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from successfully being exploited by applying the latest mitigations to applications configured in EMET," explains SRD.

MS12-045 (Microsoft Data Access Components [MDAC]) addresses a Critical-class Windows issue that could result in remote code execution. "The issue exists in all versions of Windows, and users of any version of Internet Explorer would potentially be vulnerable to it." MSRC explained.

MS12-044 (Internet Explorer) addresses two Critical-class, remote-code-execution issues affecting Internet Explorer. As with the MDAC issue, "these two vulnerabilities were privately disclosed to us and we have no indication that they're under exploit in the wild," the MSRC said.

As a results, Internet Explorer is now upgraded to version 9.0.8 now available via Windows Update.

Below is a deployment priority guidance (click for larger view):

Microsoft July 2012 Security Bulletin Deployment Chart

…and here is the risk and impact graph provides an aggregate view of this month's severity and exploitability index (click for larger view):

Microsoft July 2012 Security Updates: Severity and Exploitability Chart

Also, released on July 10, was two new security advisory including:

Security Advisory 2719662, which allows system administrators to disable the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7 with one Fix it click.

As many of you are aware, "Windows 8 will deprecate the Sidebar and Gadgets, and Gadget developers are already shifting their efforts to the online Windows Store. Meanwhile, we've discovered that some Vista and Win7 gadgets don't adhere to secure coding practices and should be regarded as causing risk to the systems on which they're run. With time running out for the Sidebar and Gadgets and with developers already moving on, we've chosen to deprecate the Windows Gadget Gallery effective immediately, and to provide a Fix it to help sysadmins disable Gadgets and the Sidebar across their enterprises," explains MSRC.

Security Advisory 2728973: Microsoft preparing a defense-in-depth change to how Windows deals with certificates that have RSA keys of less than 1024 bits in length. Once the update is released in August, Microsoft will treat all of these certificates less than 2048 1024 bits as invalid, even if they are currently valid and signed by a trusted certificate authority.

And finally, customers are advised to review KB 2677070, which provides an automated process that quickly and automatically and updates Disallowed Certificate Trust Lists on Windows Vista and Windows 7 clients.

Please watch the video below for an overview of this month's bulletins.

Update 07/14: MSRC just published the July Security Bulletin Webcast Questions & Answers page, and the July 2012 Security Bulletin Release Webcast slide deck, and Wednesday's webcast as well: