Advance notice of Microsoft patches to be released on July 10

Microsoft has just sent their advance notice of the patches that are scheduled to be released on July 9, 2012. There are a total of 9 patches to be released for July 2012. Three of the patches are designated as CRITICAL and the remaining six patches are designated as IMPORTANT. Exceptions are noted where applicable depending on operating system version.

The CRITICAL patch bulletins #1-3 apply to the following Windows Operating Systems, and Web browsers:

Bulletin #1 – CRITICAL

Remote Code Execution vulnerability

  • Workstation Operating Systems
    Windows 7 – base and SP1 – (32 and 64 bit)
    Windows Vista – SP2 (32 and 64 bit)
    Windows XP SP3 (32 bit) and SP2 (64 bit)
  • Server Operating Systems
    Windows Server 2008R2 base and SP1 (64 bit and Itanium)
    Windows Server 2008 SP2 (32, 64 bit and Itanium)
    Windows Server 2003 SP2 (32, 64 bit and Itanium)

Bulletin #2 – CRITICAL

Remote Code Execution vulnerability – OS restart required

  • Workstation Operating Systems
    Windows 7- Internet Explorer version 9
    Windows Vista -Internet Explorer version 9
    Windows XP – Not applicable
  • Server Operating Systems
    Windows Server 2008R2 base and SP1 (32 and 64 bit) – Internet Explorer version 9* – MODERATE
    Windows Server 2008R2 – Itanium – Not applicable
    Windows Server 2008 base and SP1 (32 and 64 bit) – Internet Explorer version 9* – MODERATE
    Windows Server 2008 – Itanium – Not applicable
    Windows Server 2003 – Not applicable

*Note: For Bulletin #2, the following Server operating systems are assigned as severity of MODERATE: Windows Server 2008R2, and Windows Server 2008

NOTE2: For Server Core only installations of Windows Server 2008 and 2008R2, bulletin #2 is not applicable.

Bulletin #3 – CRITICAL
Remote Code Execution vulnerability

  • Workstation Operating Systems
    Window 7 base and SP1 (32 and 64 bit)
    Windows Vista SP2 (32 and 64 bit)
    Windows XP SP3 (32 bit)
    Windows XP SP2 (64 bit)
  • Server Operating Systems
    Windows Server 2008R2 base and SP1 (64 bit and Itanium) – MODERATE
    Windows Server 2008 SP2 (32, 64 bit and Itanium) – MODERATE
    Windows Server 2003 SP2 (32, 64 bit and Itanium) – MODERATE

Important bulletins #4-9 apply to the following Microsoft Operating Systems, Office applications and products

Bulletin #4 – IMPORTANT
Remote Code Execution vulnerability

  • Microsoft Office Suites and Software
    Office 2003 SP3
    Office 2007 SP2 and SP3
    Office 2010 base and SP1 (32 and 64 bit versions)
    Visual Basic for Applications
    Visual Basic for Applications SDK

Bulletin #5 – IMPORTANT
Elevation of Privilege vulnerability

  • Workstation Operating Systems
    Window 7 base and SP1 (32 and 64 bit)
    Windows Vista SP2 (32 and 64 bit)
    Windows XP SP3 (32 bit)
    Windows XP SP2 (64 bit)
  • Server Operating Systems
    Windows Server 2008R2 base and SP1 (64 bit and Itanium) – IMPORTANT
    Windows Server 2008 SP2 (32, 64 bit and Itanium) – IMPORTANT
    Windows Server 2003 SP2 (32, 64 bit and Itanium) – IMPORTANT
    Windows Server core installations of 2008 and 2008R2 (all versions) – IMPORTANT

Bulletin #6 – IMPORTANT
Remote Code Execution vulnerability

  • Workstation Operating Systems
    Windows 7 base and SP1 (32 and 64 bit versions)
    Windows Vista SP2 (32 and 64 bit versions)
    Windows XP SP3 (32 bit)
    Windows XP SP2 (64 bit)
  • Server Operating Systems
    Windows Server 2008R2 base and SP1 (64 bit and Itanium)
    Windows Server 2008 SP2 (32, 64 bit and Itanium)
    Windows Server 2003 SP2 (32, 64 bit and Itanium)

Bulletin #7 – IMPORTANT
Information Disclosure vulnerability

  • Workstation Operating Systems
    Windows 7 base and SP1 (32 and 64 bit versions)
    Windows Vista SP2 (32 and 64 bit versions)
    Windows XP SP3 (32 bit)
    Windows XP SP2 (64 bit)
  • Server Operating Systems
    Windows Server 2008R2 base and SP1 (64 bit and Itanium)
    Windows Server 2008 SP2 (32, 64 bit and Itanium)
    Windows Server 2003 SP2 (32, 64 bit and Itanium)

Bulletin #8 – IMPORTANT
Elevation of Privilege vulnerability

  • Microsoft Office software
    InfoPath 2007 SP2 and SP3
    InfoPath 2010 base and SP1 (32 and 64 bit versions)
    Office SharePoint Server 2007 SP2 and SP3 (32 and 64 bit versions)
    Office SharePoint Server 2010 base and SP1
    SharePoint Services 3.0 SP2 (32 and 64 bit versions)
    SharePoint Foundation 2010 base and SP1
    Groove Server 2010 base and SP1
    Office Web apps 2010 base and SP1

Bulletin #9 – IMPORTANT
Elevation of Privilege vulnerability

  • Microsoft Office for Mac
    Office for Mac 2011*

*Note: Only the 2011 version of Office for Mac is impacted by the vulnerability identified in bulletin #9.

As no information is available with regard to if these vulnerabilities have been publicly disclosed, no recommendation can be provided with regard to the urgency of the installation of the July patches.

Additional information will be provided on July 10 following the release of the patches.

The Microsoft announcement is available at – http://technet.microsoft.com/en-us/security/bulletin/ms12-jul

 

Update July 10

Additional details have now been provided by Microsoft on the July patches. While there is only one patch that has been disclosed publicly prior to July 10 (http://technet.microsoft.com/en-us/security/bulletin/ms12-043 ), the AgriLife ISO recommendation for July patches is that they should be applied as soon as possible to workstations at a minimum. The rationale for this recommendation is as follows: the vulnerability patched in MS12-043 resides within versions 3.0 through 6.0 of Microsoft XML core services and has been not only publicly disclosed but also exploited publicly since approximately June 12; additionally, the vulnerability exists in all current versions of Windows, desktop and server (albeit server versions are rated with a MODERATE severity); Office 2003, Office 2007, Office Word Viewer, Office Compatibility pack, Microsoft SharePoint and Groove Server 2007.

To exploit the vulnerability, an attacker would have to convince a user to visit a webpage that has been specially crafted to exploit the vulnerability.  This could be accomplished by sending an e-mail that included the URL of the malicious web page and or the URL be sent in a Text Message or Instant Message. The malicious software would then be installed on the machine within the context that the existing user that was currently logged in as (be it an administrator or limited logon ID).

Additionally, the vulnerabilities patched in MS12-044 and MS12-045 while not disclosed publicly prior to July 10, now that they have been disclosed, reliable exploit code is expected to be released in the next 30 days.

Tags:

Categories: Uncategorized