Assessing risk for the October 2012 security updates

Today we released seven security bulletins addressing 20 CVEs (7 Microsoft and 13 Oracle CVE’s). Only one of the bulletins is rated Critical. The other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes


Victim opens a malicious RTF file attachment or previews a rich text email in the Outlook preview pane with Word set as default viewer, resulting in potential code execution in the context of the logged-on user. Critical 1 Likely to see reliable exploits developed within next 30 days.  


Attacker submits malicious HTML to a server, bypassing SafeHTML’s sanitization code. The malicious HTML is subsequently displayed to a victim, resulting in potential information disclosure. Important 1 Likely to see reliable exploits developed within next 30 days. We have seen limited, targeted attacks attempting to leverage this vulnerability against Microsoft online services. No known attacks against the products being addressed by MS12-066.

(FAST Search Server for Sharepoint)

Attacker having permission to upload malicious content to a Sharepoint server does so, which is indexed by FAST Search Server, resulting in potential code execution in context of the restricted token used by the indexing service. Important 1 Likely to see reliable exploits developed within next 30 days. The SharePoint Advanced Filter Pack that leverages Oracle Outside In technology for indexing is not enabled by default. The process that SharePoint uses for indexing when it is enabled runs with a restricted token similar to the Office 2010 Protected View sandbox. For more information, please see this SRD blog post.


Attacker able to initiate a network connection from one domain-joined machine to another domain-joined machine can send a malformed request that could cause a NULL dereference in LSASS on the remote computer. Unexpected termination of LSASS will initiate a server reboot. Important N/A No potential for code execution. Attacker must be able to make outbound NTLM authentication request from a domain-joined computer. This traffic is typically blocked at external firewall making the issue less likely to be triggered from attackers originating outside enterprise network.

(Works 9)

Victim opens a malicious .DOC file with Works 9, resulting in potential code execution in the context of the logged-in user. Important 2 Combination of difficulty to build working exploit + limited set of customers using this older product makes this vulnerability less attractive to attackers. Affects only Works version 9.


Attacker able to run code on a system at a low privilege level triggers this vulnerability to disclose contents of memory which could lead to privilege escalation from low-privileged to a higher privilege. Important 3 Less likely to see exploit written for this vulnerability to directly execute code. More likely to see it used as an information disclosure vulnerability to reveal memory contents that would otherwise be unavailable to an attacker running code at low privilege level.  

(SQL Reporting Services)

Attacker sends victim a link exploiting a Cross-Site Scripting (XSS) vulnerability on a SQL Reporting Services server for which the victim has access rights. When the victim clicks the link, an automatic action is taken on their behalf on the SQL Reporting Services server that they otherwise might not have wanted to execute. Important 1 Likely to see a XSS exploit developed in next 30 days (no exploit here for code execution on the SQL server or SQL Reporting Services server). The IE XSS Filter, if enabled for Intranet sites, would block attempts to exploit this vulnerability.

In addition to the seven new security bulletins, we have re-released MS12-043 to make available a security update for Microsoft XML Core Services 4.0 on Windows 8. (MSXML4 does not ship with Windows by default but can be included as a redistributable component with installed applications.)

We are also revising security advisory 2661254 to note that the update is now available for all customers over Automatic Updates.

Finally, we are releasing a new security advisory, 2749655, describing potential compatibility issues due to incorrect digital certificate timestamps in recently-released security updates. You can read more detail about that situation in the security advisory and the SRD blog post.

Please let us know if you have any questions about this month’s release. You can email the MSRC Engineering research team at switech [at] microsoft [dot] com or tune in to the monthly webcast tomorrow at 11 a.m. PDT.  Click here to register for the webcast.

– Jonathan Ness, MSRC Engineering