Five July Windows Bulletins: MSXML Fix Included

Severity: High


  • These vulnerabilities affect: All current versions of Windows, as well as optional components like MSXML and MDAC.
  • How an attacker exploits them: Multiple vectors of attack, including  enticing your users to web sites with malicious content or getting them to run malicious executables
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.


Today, Microsoft released five security bulletins describing six vulnerabilities affecting Windows and optional components that sometimes ship with it (XML Core Services and Microsoft Data Access Components). Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-043: MSXML Code Execution Vulnerability

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It ships with various versions of Windows, and other Microsoft products. If you have a Windows computer, you very likely have MSXML.

MSXML suffers from a memory corruption vulnerability, which attackers found before Microsoft. By luring your users to a web site with malicious code, an attacker could exploit this flaw to execute code on that user’s computer, with the user’s privileges. If you give your users local administrator privilege, the attacker gains full control of their computer.

As we mentioned in June, attackers have exploited this previously unpatched vulnerability in the wild for over a month. You should install Microsoft’s MSXML patch immediately!

Microsoft rating: Critical

  • MS12-045: MDAC Code Execution Vulnerability
The Microsoft Data Access Components (MDAC) are a collection of Windows components that allow other programs to easily access and manipulate databases. Unfortunately, MDAC suffers from a heap overflow vulnerability involving its mishandling of specially crafted XML code. By luring one of your users to a malicious web page, or to a legitimate page that has been hijacked, an attacker can leverage this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, attackers could leverage these flaws to gain complete control of their PCs. 

Microsoft rating: Critical

  • MS12-047 :  Kernel-Mode Driver Elevation of Privilege Flaw

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from two local elevation of privilege flaws. Though the flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage either of these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computer, which significantly lessens the severity of this vulnerability

Microsoft rating: Important

  • MS12-048 :  Windows Shell Command Injection Vulnerability

The Windows Shell is the primary GUI component for Windows. It suffers from a vulnerability having to do with the way it handles specially crafted file or directory names. If an attacker can entice you to interact with a maliciously crafted file or directory, she could exploit this flaw to gain full control of your computer. Attackers could deliver such files via email, web sites, or by placing them in local folders or shared files systems within your network.

Microsoft rating: Important

  • MS12-049 :  TLS Protocol Information Disclosure Flaw

The Transport Layer Security (TLS) protocol is an encryption standard for privately encoding network communications, including Web and email traffic. According to Microsoft’s bulletin, the TLS protocol suffers from an industry-wide design flaw when using TLs with the cipher-block chaining (CBC) mode of operation. If an attacker can monitor your encrypted TLS communications, they could leverage this complex vulnerability to decrypt your TLS traffic, and gain access to your confidential communications. Since web sites often use TLS to secure their communications, attackers could leverage this flaw to decrypt secure web traffic. That said, attackers would first need find a way to intercept your web communications in order to set up this sort of Man-in-the-Middle (MitM) attack.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run executable files locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, our XTM appliance’s security services, including Gateway Antivirus (GAV) and Intrusion Prevention Service, can often help protect you from these vulnerabilities. For instance, our GAV service will block much of the malware attackers try to deliver when exploiting these sorts of software vulnerabilities.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.


  1. WatchGuard Security Week in Review: Episode 26 | WatchGuard Security Center - July 13, 2012

    […] Consolidated Windows alert – WGSC […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: