Assessing risk for the August 2012 security updates

Today we released nine security bulletins addressing 26 CVE’s (13 Microsoft and 13 Oracle CVE’s). Five of the bulletins have a maximum severity rating of Critical and the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Rating Likely first 30 days impact Platform mitigations and key notes

(Windows Common Controls)

Attackers have leveraged this vulnerability in limited, targeted attacks by emailing malicious RTF file to victims. Victim opens RTF in WordPad or Word, triggering code execution in context of logged-on user. The vulnerability could also be triggered by browsing to a malicious webpage. Critical 1 Limited, targeted attacks in the wild currently.

See this SRD blog post for more detail about this specific vulnerability, how it differs from the previous MSCOMCTL issue released in April, and workaround options we recommend to harden against any future vulnerabilities in this component.

This vulnerability cannot be triggered from within Outlook’s preview pane.  The email-based RTF attack vector would require double-clicking the RTF attachment.


(Internet Explorer)

Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days.  

(Windows Networking Components)

Attacker on an enterprise network (or after having been elected master browser in a workgroup) makes available a shared resource (such as a printer) with a malformed name. Victim workstations at each startup and at regular intervals query master browser for list of shared resources. Malformed attacker name in this list triggers vulnerability in a service (such as the spooler service) on victim workstations. Critical 1 Likely to see reliable exploits developed within next 30 days. Windows Vista and later platforms affected by default only by denial-of-service issue, not the code execution vulnerability. See this SRD blog post for more background on the issue.

(Oracle Outside In for Exchange)

Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page. Critical 1 Likely to see reliable exploits developed within next 30 days. Oracle Outside In process runs at a lower privilege level, LocalService. For more background information, please see this SRD blog post.

(Terminal Services)

Attacker sends malicious Remote Desktop Protocol (RDP) request to a Windows XP victim running Terminal Services, potentially executing code as SYSTEM before authentication is required. Critical 2 Less likely to see a reliable exploit developed in the next 30 days. Affects only Windows XP workstations that have enabled Remote Desktop.


(Windows drivers [win32k.sys])

Attacker running code on a machine already elevates from low-privileged account to SYSTEM. Important 1 Likely to see an exploit released granting a local attacker SYSTEM level access.  


Victim opens malicious Visio .DXF file. Important 1 Visio exploits not often seen in the wild. Unsure whether we will see exploit released. Visio not installed by default with most Office installations.

(JScript, VBScript)

Victim browses to a malicious webpage on a 64-bit system having 8GB+ of RAM. Must be running 64-bit of Internet Explorer. Important 2 Less likely to see a reliable exploit developed in next 30 days. Only 64-bit versions of Internet Explorer running on 64-bit systems having more than 8GB of RAM are affected.


Victim opens a malicious Office document having a corrupted CGM file. Important 3 Unlikely to see a reliable exploit developed in next 30 days. The CGM graphics filter was disabled with MS10-105. This security update addresses an upgrade scenario in which graphics filter was not properly disabled.

In addition to the nine new security bulletins, we have re-released MS12-043 to make available a security update for Microsoft XML Core Services 5.0 that was unavailable at the time of initial release.

Finally, we have also released a new security advisory, KB 2661254, to inform customers of an update available on the Download Center that restricts the use of certificates with RSA keys less than 1024 bits in length. This advisory announces that we plan to release this update through Microsoft Update in October, 2012 after customers have a chance to evaluate their unique environments with the update and take necessary actions to use certificates of 1024 or greater bit length.

– Jonathan Ness, MSRC Engineering