Alert - Microsoft Releases Security Bulletin (Out-of-Band) to Address Vulnerabilities in Adobe Flash Player in Internet Explorer 10

  • Article

Today, Microsoft released MS12-063 to protect customers against the issue described in Security Advisory 2757760. The security update resolves one publicly disclosed and four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

Microsoft encourages customers to test and deploy the update as soon as possible.

 

What is the purpose of this alert?

This alert is to provide you with an overview of the new security bulletin being released (out of band) on September 21, 2012, for new vulnerabilities in Internet Explorer. 

 

Microsoft is also releasing one new security advisory today for Adobe Flash Player in Internet Explorer 10 on Windows 8 and Windows Server 2012.

 

New Security Bulletin

 

Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities: 

  

  

Bulletin Identifier

  

  

  

Microsoft Security Bulletin MS12-063

  

Bulletin Title

Cumulative Security Update for Internet Explorer (2744842)

Executive Summary

This security update resolves one publicly disclosed and four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory.

 This security update also addresses the vulnerability first described in Microsoft  Security Advisory 2757760.

Severity Ratings and Affected Software

  •  This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients.
  •  This security update is rated Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows servers.
  •  Internet Explorer 10 is not affected.

Attack Vectors

  •   An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
  •   The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could  contain specially crafted content that could exploit this vulnerability.

Mitigating Factors

  •   An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.
  •   An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  •   By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites  zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
  •   By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced  Security Configuration. This mode mitigates this vulnerability. See the FAQ section for this vulnerability for more information about Internet Explorer Enhanced Security Configuration.

Restart Requirement

This update requires a restart.

Bulletins Replaced by This Update

MS12-052

Full Details

https://technet.microsoft.com/security/bulletin/MS12-063 

New Security Advisor

 

Microsoft published one new security advisory on September 21, 2012. Here is an overview of this new security advisory:

 

Security Advisory 2755801

Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10

Affected Software

Internet Explorer 10 on Windows 8 and Windows Server 2012

Executive Summary

Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012.  The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10.

Mitigations
  •   In a web-based attack scenario where the user is using Internet Explorer 10 for the desktop, an attacker could host a website that contains a webpage that is used to exploit any of these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
  •   Internet Explorer 10 in the Windows 8-style UI will only play Flash content from sites listed on the Compatibility View (CV) list. This restriction requires an attacker to first compromise a website already listed in the CV list. An attacker could then host specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.
  •   By default, all supported versions of Microsoft Outlook and Windows Live Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use any of these vulnerabilities to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of any of these vulnerabilities through the web-based attack scenario.
  •   By default, Internet Explorer on Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. This mode can help reduce the likelihood of exploitation by these vulnerabilities in Adobe Flash Player in Internet Explorer 10

More Information

https://technet.microsoft.com/en-us/security/advisory/2755801 

 

Public Bulletin Webcast

 Microsoft will host a webcast to address customer questions on the new security bulletin:

 Resources related to this alert

Security Bulletin MS12-063 –Cumulative Security Update for Internet Explorer (2744842): https://technet.microsoft.com/security/bulletin/MS12-063

 Regarding Information Consistency

 We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in
an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.