The big news for June is the “Flame” virus. This thing is a total mess. The good news is, its intended use and targets are very specific, and chances are, if you are reading this, you aren’t them (unless you are a member of certain Middle Eastern governments). The most disturbing thing for the general public is that its creators were able to forge certificates for Windows Update, but to exploit them, attackers would need to do a man-in-the-middle attack (typically done through pointing to a malicious DNS server, or attacking DNS servers) to point users to a bad Windows Update server. That’s not exactly a small task, and Microsoft has already released a patch to revoke the bad certificates.

In better news, though, there was not a single security patch for Microsoft Office! Other than the annual December slow down, I do not recall this happening in a very, very long time.

This blog post is also available in the PDF format in a TechRepublic Download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS12-036/KB2685939 – Critical (XP, Vista, W7, 2003, 2008, 2008 R2): A flaw in Remote Desktop Protocol (RDP) allows attackers to perform remote code execution attacks. How many Windows servers allow RDP (even through the firewall)? An awful lot – get this patched ASAP.
MS12-037/KB2699988 – Critical (IE6, IE7, IE8, IE9): This patch rolls up a whopping thirteen security fixes into one. One of the vulnerabilities is already publicly known, too. Needless to say, this patch is a high priority item.
MS12-038/KB2706726 – Critical (.NET Framework 2.0, .NET Framework 4): Regular readers will know that I’ve become very down on XAML Browser Applications (XBAPs) due to security concerns. This is further reinforcement of that view. This patch plugs a remote code execution hole in XBAPs, and should be installed immediately.
MS12-039/KB2707956 – Important (Lync 2010 clients, Microsoft Communicator 2007 R2): Four security vulnerabilities, one that allows for remote code execution attacks, have been found in a variety of Microsoft Lync clients and Microsoft communicator 2007 R2. It’s not likely you will be in a meeting with an attacker; this patch can wait until your next scheduled patch time.
MS12-040/KB2709100 – Important (Microsoft Dynamics AX 2012): The Microsoft Dynamics AX 2012 Enterprise Portal allows attackers to send email messages to users or trick them into clicking on an URL that could perform an elevation of privileges attack. Install this patch if you use Enterprise Portal.
MS12-041/KB2709162 – Important (XP, Vista, W7, 2003, 2008, 2008 R2): Locally logged on users have five vulnerabilities to escalate privileges, this patch fixes them. This is a low threat issue and the patch should not be treated as an emergency.
MS12-042/KB2711167 – Important (XP, W7, 2003, 2008 R2): Here’s the winner for “bizarre security problem of the month”: somehow, there is a pair of escalation of privileges vulnerabilities that affect XP/2003 and W7/2008 R2, but managed to miss the Vista/2008 generation of Windows. In the years that I have been writing this article each month, I never thought I’d see that! In any event, you should install this patch on schedule.

Other Updates

KB2677070 Provides an update to the system for getting the revoke certificates list.
KB2699779 No information available at this time.
KB2703157 Fixes a memory leak in the WinHTTP Web Proxy Auto-Discovery Service.
KB2709630 Patches a problem where logging into a Windows 7 or 2008 R2 machine that is disconnected from a domain could take a long time.
KB2709981 Fixes a problem with DVDs playing mangled video on Windows 7 and 2008 R2.

“The Usual Suspects”: Updates to the Malicious Software Removal Tool.

Changed, but not significantly:

  • MS12-020/KB2667402 Security update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
  • MS12-025/Multiple KBs – Security update for .NET Framework 1.1 – 4
  • KB982670 .NET Framework 4 Client Profile for XP.
  • KB982671 .NET Framework 4 for XP.

Updates since the last Patch Tuesday

There were no security updates released out-of-band.

Minor items added or updated since the last Patch Tuesday:

KB2718704 Certificate revocation list update to deal with the Flame virus.
KB2720211 Minor updates to WSUS 3.0 SP2.
KB947821 System update readiness tool for Vista, W7, 2008, and 2008 R2.

Changed, but not significantly:

  • MS12-034/KB2656407 Security update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP
  • MS12-034/KB2686509 Security update for Windows XP Embedded
  • MS12-035/KB2604092 Security update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP
  • MS12-035/KB2604110 Security update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP
  • MS12-100/KB2656352 Security update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP