It’s the dog days of patching; August’s Patch Tuesday includes several critical updates for Windows XP and Windows 7.
Along with the usual suspects — Internet Explorer, for example — we’re adding patches to protect ourselves from malicious RTF files.
MS12-060 (983812, 983813, 2687323, 2687441, 2597986)
Rich-text-file attacks prompt Office patches
Rated critical, the threat detailed in MS Security Bulletin MS12-060 comes from a vulnerability in the TabStrip ActiveX control within the Windows common controls. (TabStrip [more info] manages the use of display tabs in an application window.) More to the point, however, cyber criminals are already using this exploit to take over systems by sending malicious RTF file attachments in e-mails. But the threat also comes from maliciously designed or compromised webpages.
This patch applies to all supported editions of Microsoft Office 2003, 2007, and 2010 (except the x64-based editions), plus many versions of MS SQL Server, MS Commerce Server, MS Host Integration Server, and related applications. MS12-60 has the complete list of affected and nonaffected software.
You can expect to see updates for Office 2003, 2007, and possibly 2010, even if you don’t have these Office versions installed. MS Support article KB 830335 has a detailed explanation of when and how this happens.
TabStrip is part of the MSCOMCTL.OCX system file, which we patched previously in Support Bulletin MS12-27 (that time for vulnerabilities in other ActiveX controls). This time around, an MS Security Research & Defense blog discussing MS12-60 recommends using Microsoft’s Enhanced Mitigation Experience Toolkit (download page) for additional protection. Look for a discussion of EMET in a future Patch Watch.
What to do: Workstation users should install KB 2687323, KB 2687441, and/or KB 2597986 as soon as they appear in Windows Update. Go to MS12-060 for the complete list of patch numbers and links to manual-download pages.
MS12-052 (2722913) and MS12-056 (2706045)
Two more updates for Internet Explorer