SpiderLabs Blog

Microsoft Patch Tuesday: IE, Common Control, and Digitized Chuck Yeager

Written by nosteve | Apr 11, 2012 4:47:00 AM

For those of you that remember Microsoft Works, today's update will be special for you. Finally, those of us who felt jilted by Office's superiority complex all these years can have our revenge. MS12-028 confirms it: Works is an Office killer, literally. OK, so it's buried at the bottom of the update, and sure there are 4 critical vulns across Windows and IE, but the Works thing got me all fired up about old computers.

Works was like some kind of Microsoft Office "Lite" edition, but with all the apps wrapped up in a single program. Works included a word processor, spreadsheet, calendar, and even a database for cataloging your 8-track collection. I remember first seeing this impressive software engineering achievement on a shiny new IBM PS/1 that the kid down the street got. This machine was IBM's next foray into the whipper-snapper world of "personal computers" after the Charlie Chaplin PCjr debacle.

They also had some kind of flight simulator with Chuck Yeager in it, where he would tell you how terrible you were when you crashed into the ground. Which happened about 100% of the time. Actually I think Major General Yeager practically invented the "DOING IT WRONG" meme, in addition to his other aeronautical achievements.

And with that in mind, this Patch Tuesday is dedicated to Digitized Chuck "Ace-in-a-Day" Yeager, motivational speaker and fastest man alive.

MS12-023 / KB2675157

Vulnerability in Windows Common Controls Could Allow Remote Code Execution

Critical

JScript9 Remote Code Execution Vulnerability, CVE-2012-0169

OnReadyStateChange Remote Code Execution Vulnerability, CVE-2012-0170

VML Style Remote Code Execution Vulnerability, CVE-2012-0171

selectAll Remote Code Execution Vulnerability, CVE-2012-0172

MS12-023 is rated as a critical update since it can allow remote code execution if a user views a specially crafted webpage with Internet Explorer. This can give an attacker the same system privileges as the current user. This cumulative update for IE doesn't fix just one but five different security vulnerabilities in the age-old browser affecting everything from IE 6 on Windows XP up to and including IE 9 on Windows Server 2008 x64 SP1. Four of those five vulnerabilities will allow RCE, and considering the severity, it is definitely something to pay attention to. If you have automatic update enabled you should be all set as this will install automatically. If you don't use automatic update this is one update you want to get installed quickly.

Malware targeting this vulnerability can be detected from at the network level. Trustwave IDS and UTM are being updated to detect this activity.

Digitized Chuck Yeager says:

MS12-027 / KB2664258

Vulnerability in Windows Common Controls Could Allow Remote Code Execution

Critical

MSCOMCTL.OCX RCE, CVE-2012-0158

Windows Common Controls is a foundational visual library for displaying things like dialog boxes and tree views. MSCOMCTL.OCX is an ActiveX control that ties into this functionality, and it's pretty common across applications such as SQL Server, Office, and VB applications. This flaw allows code execution in the context of a user that encounters targeted malicious content. This could be delivered via a webpage, email, or even digitized picture of Chuck Yeager.

Microsoft has advised us that this exploit is being exploited in the field, so it's an especially important update. Also expect network detection signatures of this threat to surface, including those used by Trustwave IDS and UTM.

Digitized Chuck Yeager says:



MS12-024 / KB2653956

Vulnerability in Windows Could Allow Remote Code Execution

Critical

WinVerifyTrust Signature Validation Vulnerability, CVE-2012-0151

This one involves Portable Executable files and Windows versions from XP SP3 through Windows 7 and even Server 2008 R2 for Itanium SP1 (in other words, pretty much all of them). A Portable Executable is a file format used for executables, object code and DLLs. If you are able to create a PE just right then you might be able gain remote code execution on a target system. It is also possible to append an existing PE file with malicious code and not change the signature. An attacker can then email the PE file to a targeted user and get them to open it or trick a user into visiting a webpage and downloading it, possibly disguised as a media player or other file. The update modifies how Authenticode Signature Verification (you might know it as WinVerifyTrust) verifies portable execution files. Of course making such a modification may cause some valid PE files to become 'unsigned', most likely installer files in which case the files will need to be resigned by their authors. Obviously this is a critical update and should be applied to all systems.

Digitized Chuck Yeager says:



MS12-025 / KB2671605

Vulnerability in .NET Framework Could Allow Remote Code Execution

Critical

.NET Framework Parameter Validation Vulnerability, CVE-2012-0163

This is a parameter violation vulnerability, and it's a pretty big deal because it can get an attacker full access to the system and affects all versions of .NET. It affects both client and server scenarios via web browsing and ASP.NET, respectively. The browsing scenario is centered on XAML browser applications in IE, which interfaces with the .NET runtime. We don't think about .NET in this context very often, so it's important to call it out – it's a problem for everyone with .NET, which covers the gamut of Windows users.

Digitized Chuck Yeager says:



MS12-026 / KB2663860

Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure

Important

Unfiltered Access to UAG Default Web Site, CVE-2012-0147

You can think of Forefront Unified Access Gateway as sort of a real fancy VPN that basically offers remote access on managed and unmanaged PCs and mobile devices to people inside and outside of an organization -- mainly vendors and partners. This update actually fixes two vulnerabilities with the product. The most severe one could allow an attacker to recover information from a UAG server if it receives a specially crafted query. The update changes UAG to require additional authorization and prevents unfiltered access to internal resources. Microsoft is labeling this update only as moderate but if you are running Forefront doesn't mean you shouldn't install the patch anyway.

Digitized Chuck Yeager says:



MS12-028 / KB2639185

Vulnerability in Microsoft Office Could Allow for Remote Code Execution

Important

Office WPS Converter Heap Overflow Vulnerability, CVE-2011-3398

The vulnerability that started this whole bizarre theme, which isn't even making any sense at this point. It's a flaw appears when importing Works word processing files into Office, so it might be a little rare, but it could end up being used in an email attack since .wps will be automatically handled by Office. All kidding aside, there's more to this than disgruntled PS/1 users and it's worth getting this taken care of. Might even be worth blocking the .wps extension altogether, unless you're in the 8-track business.

Digitized Chuck Yeager says:



Who indeed, Major General. Who, indeed?

Thanks to Space Rogue for all his research help, and for putting up with whatever this is.