Microsoft Addresses 26 Vulnerabilities; IE 9.0.9 Releases; SA 2661254; MSRT Adds Win32/Matsnu and Win32/Bafruz; SmartScreen & EV Code Signing Certificates

August 2012 Update Tuesday, released nine security bulletins of which -- five Critical-class and four Important - addressing 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. MS12-060 (Windows Common Controls) affect Office, SQL Server, Server Software, and Developer Tools. MS12-052 (Internet Explorer) now available via Windows […]

August 2012 Update Tuesday, released nine security bulletins of which -- five Critical-class and four Important - addressing 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office.

MS12-060 (Windows Common Controls) affect Office, SQL Server, Server Software, and Developer Tools.

MS12-052 (Internet Explorer) now available via Windows Update advances IE versioning to 9.0.9 -- addresses four privately disclosed issues, "none of which are currently known to be under active attack," MSCR said.

"This security update is rated Critical for IE6, IE7, IE8, and IE9 on Windows clients and Moderate for IE6, IE7, IE8, and IE9 on Windows servers."

"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," MSRC explains.

MS12-054 (Windows Networking Components) addresses three issues related to the Remote Administration Protocol (RAP) and one issue affecting the Print Spooler. The impact from these issues ranges from Denial of Service (DoS) to Remote Code Execution (RCE).

Also, re-released today is the MS12-043 with additional updates for Microsoft XML Core Services 5.0. "This re-release does not affect the previous updates for versions 3.0, 4.0, and 6.0," MSRC stated.

Security Advisory 2661254 - Update For Minimum Certificate Key Length of less than 1024 bits in length - will be available in the Download Center as well as the Microsoft Update Catalog.

For additional details on these defense-in-depth changes to how Windows deals with certificates please visit Public Key Infrastructure (PKI) blog.

August 2012 Microsoft Malicious Software Removal Tool (MSRT) release added two new families of malware: Win32/Matsnu and Win32/Bafruz.

"Win32/Bafruz contains components, which achieve a number of objectives for the attacker, such as hijacking Facebook and Vkontakte accounts, launching Distributed Denial of Service attacks, performing Bitcoin mining, downloading malware, and disabling security and antivirus products."

You can download MSRT here.

On Tuesday, two Certificate Authorities (CAs), Symantec and DigiCert, announced the introduction of Extended Validation (EV) Code Signing Certificates.

Microsoft also announced that EV code signing certificates will integrate with the SmartScreen Application Reputation technology in Internet Explorer 9, Internet Explorer 10 and in Windows 8.

Windows Store and Windows 8 apps are not in scope for SmartScreen Application Reputation checks or warnings - these apps are reviewed, code signed, licensed & distributed by the Windows store directly.

Desktop Apps: "We recognize that Internet Explorer (IE) isn't the only way users download applications from the Internet, so Windows 8 now uses SmartScreen to perform an application reputation check the first time users launch applications that were downloaded from the Internet."

Best practices for developers:

  • Distribute your apps through the Windows Store
    Windows 8 Applications are required to pass the Windows Store developer onboarding and application review process. Windows 8 applications are not in scope for SmartScreen application reputation checks or warnings in Windows 8.
  • Digitally sign your programs (Standard or EV code signing)
    Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs. Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals. Only Authenticode Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish reputation.

    At this time, Symantec and DigiCert are offering EV code signing certificates.
  • Don't sign or distribute malicious code
    Distributing code detected as malicious will remove the reputation from a file and also any reputation from the associated digital certificate - even if signed with an EV code signing certificate.
  • Apply for a Windows Logo or Windows 8 Desktop App Certification
    Learn more about these programs here:

Below is a deployment priority guidance: (click for larger view)

Microsoft Patch Tuesday August 2012 Deployment Priority Guidance Chart

Here is the risk and impact graph provides an aggregate view of this month's severity and exploitability index (click for larger view):

Microsoft Patch Tuesday August 2012 risk and impact graph