This was a really bad month for Microsoft and security, including security problems in a common controls library and Microsoft Exchange Server. There are a lot of "install immediately" patches here, so you'll want to brew up a fresh pot of coffee.
It is also with a fair amount of sadness that I have to say that this is likely to be my final Patch Tuesday article due to changes in my work status. I truly have enjoyed writing this article monthly for about four years now. This does not mean that the Patch Tuesday articles are coming to a close, just that another contributor will be taking over the responsibility of writing them. I would like to thank each and every one of you for making their series the success that it has been, and TechRepublic's Mark Kaelin for asking me to start writing these all of those years ago.
Security PatchesMS12-052/KB2722913 - Critical (IE6, IE7, IE8, IE9): This patch resolves four security vulnerabilities in Internet Explorer, which can allow remote code execution attacks launched trough malformed Web pages. Active X and similar technologies do not seem to be the culprit here. You should apply this patch immediately. MS12-053/KB2723135 - Critical (XP): XP systems can be sent a stream of data over Remote Desktop Protocol (RDP) that can allow for a remote code execution attack. Apply this fix to those systems to close the hole. MS12-054/KB2733594 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): Four vulnerabilities in the Windows networking stack (including one that can be activated by sending bad packets to the print spooler) are fixed by this patch. Install it as soon as you can. MS12-055/KB2731847 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): A locally logged on user can run an application to escalate their privileges; this patch fixes the issue. This can wait until your normal patch time. MS12-056/KB2706045 - Important (XP x64, Vista x64, W7 x64, 2008 x64, 2008 R2 x64, 2008 R2 IA64): A problem with the VBScript and JScript engines in 64 bit versions of Windows leads to remote code execution vulnerabilities that Web pages can take advantage of. Microsoft rates this as "important" but I would suggest that you install the patch with urgency. MS12-057/KB2731879 - Important (Office 2007, Office 2012): Opening Office files that have been malformed or contain a malformed Computer Graphics Metafile (CGM) can allow for remote code execution attacks. You will want to install the patch as soon as you can due to the commonality of Office documents. MS12-058/KB2740358 - Critical (Exchange 2007, Exchange 2010): It's rare to see a security bug in Microsoft Exchange, but here we are with one. If someone views a document via Outlook Web Access (OWA) with the WebReady document Viewing system, it can attack the Exchange server. To make it worse, the vulnerability is publicly disclosed. Install this patch as soon as you can if you are running an Exchange server. MS12-059/KB2733918 - Important (Visio 2010, Visio Viewer 2010): Opening up a Visio file can allow remote code execution attacks. This is another case where the file format is common enough to justify installing this ahead of schedule. MS12-060/KB2720573 - Critical (Office 2003, Office 2007, Office 2010, SQL Server 2000, SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, Commerce Server 2002, Commerce Server 2007, Commerce Server 2009, Commerce Server 2009 R2, Host Integration Server 2004, Visual FoxPro 8.0, Visual FoxPro 9.0, VB 6.0 Runtime): the Windows Common Controls can allow for remote code execution attacks when viewing malformed Web pages; this affects a huge number of products, and the various patches (there will be many, many patches for the same issue here) should all be installed as swiftly as you can.
Other UpdatesKB2608659 - Update to fix issues with Single Instance Storage (SIS) for 2008 R2 that may lose or corrupt data. KB2647753 - Update rollup for printing in W7 and 2008 R2. KB2705117 - Update rollup for a variety of bugs in Small Business Server 2011 Essentials. KB2705118 - Update Rollup 3 for Windows Home Server 2011. KB2705122 - Update rollup for a variety of bugs in Storage Server 2008 R2 Essentials. KB2719857 - Fixes problems connecting to 3G or 4G networks over USB in W7 and 2008 R2. KB2729094 - Updates the Symbol font in W7 and 2008 R2 with new symbols. KB2732487 - Resolves an issue where resuming from sleep or hibernation on W7 gives error "0x0000000a." KB2732500 - Corrects an "E_UNEXPECTED 0x8000ffff" error when using System Restore on W7.
Changed, but not significantly:
- KB982861 - IE9 language pack for W7 x64
Updates since the last Patch Tuesday
There were no security updates released out-of-band.
Minor items added or updated since the last Patch Tuesday: none.
Changed, but not significantly:
- KB2728973 - Certificate security update
- MS12-004/KB2598479 - Security update for Vista
- MS11-092/KB2619339 - Security update for Vista
- MS12-020/KB2621440 - Security update for Vista
- MS12-004/KB2631813 - Security update for Vista
- MS12-024/KB2653956 - Security update for Vista
- MS12-013/KB2654428 - Security update for Vista
- MS12-034/KB2676562 - Security update for Vista
- MS12-045/KB2698365 - Security update for Vista
- MS12-043/KB2719985 - Security update for Vista
Justin James is the Lead Architect for Conigent.