In the June 2012 edition of Patch Tuesday, Microsoft shipped seven security bulletins, of which, only three were deemed worthy of a critical rating.
This month’s critical fixes are all remote code execution vulnerabilities in Windows, Internet Explorer, and the .NET framework.
The first, MS12-036, is a vulnerability in remote desktop. It was privately reported and could lead to remote code execution if an attacker sends a sequence of specially crafted remote desktop protocol (RDP) packets. Default systems, that is, those without RDP enabled, are not vulnerable.
The second, MS12-037, is a cumulative security update for Internet Explorer that resolves one publically and 12 privately disclosed vulnerabilities. Among these bugs, the most severe could allow an attacker to remotely execute code and gain user rights if the user visits a specially crafted webpage. As always, users with fewer rights would be less impacted.
The last critical bug, MS12-038, resolves an issue in the .NET framework that was privately reported to Microsoft. If exploited on an unpatched machine, the vulnerability could give an attacker user rights and the ability to remotely execute code if the attacker can coerce users to view a specially crafted webpage in a browser that can run XAML browser applications (XBAP). Users with fewer rights are less impacted. The vulnerability can also be used to bypass code access security in the .NET framework, but as before, the attacker would have to convince a user to visit a specially crafted website.
The four remaining bulletins, affecting Microsoft Lync, Dynamic AX, and Windows, all received important ratings. MS12-039, MS12-040, MS12-041, and MS12-042 address vulnerabilities in Lync that could allow remote code execution and vulnerabilities in Dynamics AX, Windows Kernal-Mode drivers, and the Windows Kernal itself that could all lead to elevations of privilege.
Check out Microsoft’s TechNet blog for a full description of all of this month’s patches.