'Sons of Duqu' targeted in Microsoft May security patches

Microsoft releases seven bulletins – three critical and four important – for 23 vulnerabilities in its May Patch Tuesday monthly security update

Microsoft has released seven bulletins – three critical and four important – addressing 23 vulnerabilities in its May Patch Tuesday monthly security update.

MS12-029 is the bulletin that should be highest on the list for most organisations, as it can be used to gain control of a user's machine without requiring user interaction, said Wolfgang Kandek, chief technology officer at security firm Qualys.

"The bulletin provides a patch for a vulnerability in the RTF file format that can be exploited through Microsoft Office 2003 and 2007. It is rated critical because simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit," Kandek said.

MS12-034, which addresses 10 vulnerabilities, is the second critical bulletin. It applies to the broadest selection of Microsoft software this month.

In December 2011 Microsoft issued bulletin MS11-087, which patched a vulnerability in the TrueType font handling in win32k.sys DLL that had actively been exploited by the Duqu malware. After the fix was delivered, Microsoft's internal security team identified further occurrences of the vulnerable code in Microsoft's other software packages and found multiple products that contained the flawed code.

"MS12-034 now provides the patches necessary to address these 'Sons of Duqu vulnerabilities', together with a number of other security fixes (9 CVEs) that were bundled into the same files," said Kandek.

Although there is no known malware currently exploiting this issue, he recommends administrators look at Microsoft's SRD blog for a summary of their internal engineering process.

MS12-035 is the third critical bulletin and addresses a flaw in XBAP, a Microsoft browser-based application delivery format.

"It is probably the least urgent bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the intranet zone of the target," said Kandek.

Since June 2011, with the MS11-044 bulletin, Windows has changed its behaviour from simply running an XBAP application to asking the user (via a popup window) whether it is OK to execute the application, which provides an additional layer of security.

"However, we advise users to completely disable XBAP to improve the overall robustness of your installation," said Kandek.

Of the remaining four important bulletins, he recommends focusing on MS12-030 for Excel and MS12-031 for Visio because both are file-format vulnerabilities that allow an attacker to take control of the targeted machine if its user opens a specifically crafted file.

"As we have seen in some of the last year's data breaches, this lowers the success rate only slightly as attackers are capable of drafting a convincing e-mail that can trick a percentage of the e-mail's recipients into opening such a file," said Kandek.

Adobe's monthly patch release, now timed to coincide with Microsoft's, addresses five vulnerabilities in its Shockwave player.

According to Kandek, three of the vulnerabilities were discovered by Rodrigo Branco, director of vulnerability and malware research at Qualys, which has published detailed advisories on subject.

Read more on Privacy and data protection