Assessing risk for the December 2012 security updates - Security Research & Defense - Site Home

Today we released seven security bulletins addressing 12 CVE’s. Five of the bulletins have a maximum severity rating of Critical, and two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin	Most likely attack vector	Max Bulletin Severity	Max XI	Likely first 30 days impact	Platform mitigations and key notes
MS12-077 (Internet Explorer)	Victim browses to a malicious webpage.	Critical	1	Likely to see reliable exploits developed within next 30 days.	Internet Explorer versions 6, 7, 8 offered this update only to block a defense-in-depth attack vector whereby an attacker could convince a victim to trigger a XSS vulnerability by copy-pasting JavaScript into the URL field.
MS12-079 (Word)	Victim opens a malicious RTF file attachment or previews a rich text email in the Outlook preview pane with Word set as default viewer, resulting in potential code execution in the context of the logged-on user.	Critical	1	Likely to see reliable exploits developed within next 30 days.	Reading email in plaintext mitigates the potential Outlook Preview Pane attack vector.
MS12-081 (Windows File Handling)	Victim navigates to a malicious WebDAV or SMB share and encounters a maliciously-crafted Unicode filename.	Critical	1	Likely to see reliable exploits developed within next 30 days.
MS12-078 (Windows font drivers - ATMFD & win32k.sys)	Most likely attack vector is an attacker who is already running code on a machine leverages vulnerability to elevate from low-privileged account to SYSTEM.	Critical	1	Likely to see an exploit released granting a local attacker SYSTEM level access.	One of the two CVE’s usable for denial-of-service only. The other (CVE-2012-4786) could potentially be embedded in either an Office document or a PDF file.
MS12-080 (Oracle Outside In for Exchange)	Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page.	Critical	1	Likely to see reliable exploits developed within next 30 days.	Oracle Outside In process runs at a lower privilege level, LocalService. For more background information, please see this SRD blog post.
MS12-082 (DirectPlay)	Victim opens a malicious Office document having an embedded ActiveX control, resulting in potential code execution in the context of the logged-in user.	Important	2	Will be difficult to build a reliable exploit for this vulnerability. Less likely to see consistently working exploit code in the next 30 days.
MS12-083 (IP-HTTPS Security Feature Bypass)	Attacker having a legitimately issued but hence revoked computer certificate able to establish a DirectAccess tunnel to gain access to a corporate Intranet.	Important	N/A	Not Applicable - Security Feature bypass only with no direct code execution potential.	This attack is only possible after attacker obtains a revoked computer certificate that is trusted by the IP-HTTPS server.

- Jonathan Ness, MSRC Engineering