Microsoft warns of 'limited, targeted attacks' against Windows vulnerability

Microsoft warns of 'limited, targeted attacks' against Windows vulnerability

Summary: The vulnerability under attack exists in Windows Common Controls and can be exploited to launch remote code execution attacks if a user simply surfs to a malicious website.

SHARE:

Microsoft today shipped patches for at least 11 documented security vulnerabilities, including one that's already being hit with "limited, targeted attacks."

The vulnerability under attack -- now fixed today with the MS12-027 bulletin -- exists in Windows Common Controls and can be exploited to launch remote code execution attacks if a user simply surfs to a malicious website.

The vulnerability is caused when the MSCOMCTL.OCX ActiveX control, while being used in Internet Explorer, corrupts the system state in such a way as to allow an attacker to execute arbitrary code.

follow Ryan Naraine on twitter

Microsoft is calling on Windows users to apply this bulletin as a priority because of the high-risk of code execution attacks.

The company is also calling special attention to MS12-023, which addresses at least 5 flaws in the Internet Explorer browser.

The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Windows users are also urged to apply a third "critical" bulletin (MS12-024), which covers a "critical" vulnerability that allows remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

This month's Patch Tuesday batch also includes:

  • MS12-025 (Critical) -- A privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.
  • MS12-026 (Important) -- Two privately reported vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG). The more severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted query to the UAG server.
  • MS12-028 (Important) -- This security update resolves a privately reported vulnerability in Microsoft Office and Microsoft Works. The vulnerability could allow remote code execution if a user opens a specially crafted Works file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Topics: Operating Systems, Browser, Microsoft, Security, Software, Software Development, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • Is there any reason...

    ...why we shouldn't just post our personal banking and medical information on Facebook? At least it's cheaper than keeping the virus scanners up to date, and it leads to the same result!
    Tony Burzio
    • Interesting...

      But I trust these blaggards more than I do Facebook... I'd first have to open a Facebook account, and I really don't want to do that. :-)

      I'll stick to using script blockers and non-OS vendor supplied browsers, for now.
      wright_is
  • It would be nice to hear how Protected Mode would mitigate these issues.

    It appears Protected Mode would significantly reduce what any executed could do.
    ye
    • Protected mode will block this attack

      Whenever the bulletin says

      <i>"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." </i>

      It applies to protected mode. Protected mode works by modifying the process token to set it as a low-integrity process. Low integrity processes are severely restricted in what they can do, e.g. they cannot write to any file or registry position (except for designated low-integrity files/directories/keys) *even* if the user otherwise has write access to them.

      *However*, a small part of IE (the so-called broker process) does *not* execute under protected mode. A successful compromise of this process will allow the attacker to run as the user with "normal" integrity level (still not with administrator privileges even if the user is admin). Given that this bug is in the "common controls" and that the broker process indeed uses common controls (for the save dialog) there is a risk that this bug is *outside* protected mode. It does seem that it applies to an older version of comctl, however; so it is probably not the version used by the broker.

      The principle is called "no-write-up".
      honeymonster
      • I reached the same conclusion as you.

        However I would like to hear specifically from Microsoft about it.
        ye
  • Its awesome scheme

    &#x1E40;y bu&#x10F;&#x10F;y'&#x15B; &#x15B;&#x74;ep-&#x1E41;o&#x74;&#x125;e&#x72; &#x1E40;ake&#x15B; $82 eve&#x72;y &#x125;ou&#x72; on &#x74;&#x125;e co&#x1E41;pu&#x74;e&#x72;. &#X15A;&#x125;e &#x125;a&#x15B; been une&#x1E41;p&#x6C;oye&#x10F; fo&#x72; 9 &#x1E40;on&#x74;&#x125;&#x15B; bu&#x74; &#x6C;a&#x15B;&#x74; &#x1E40;on&#x74;&#x125; &#x125;e&#x72; c&#x125;eck &#x57;a&#x15B; $7938 ju&#x15B;&#x74; &#x57;o&#x72;king on &#x74;&#x125;e co&#x1E41;pu&#x74;e&#x72; fo&#x72; a fe&#x57; &#x125;ou&#x72;&#x15B;. &#X125;e&#x72;e'&#x15B; &#x74;&#x125;e &#x15B;i&#x74;e &#x74;o &#x154;ea&#x10F; &#x1E40;o&#x72;e >> LazyCa&#x73;h1.&#x63;&#x6F;&#x6D;
    MurrayChester
  • I'm waiting for Loverock Davidson to give me the all clear

    This guy has never been wrong about anything Microsoft yet .......or ha he? :-)
    Over and Out
    • You get an A for sarcasm

      ;)
      ScorpioBlack
    • Right!

      [i]This guy has never been wrong[/i]
      You got that right!
      Loverock Davidson-
      • And you get an F for troll

        Flagged for you being the usual ass_hole
        ScorpioBlack
      • Please respect the TOS

        @ScorpioBlack

        Without limiting any other provision in these Terms, you may not use the Services to do the following or assist others to do the following:

        ??? Threaten, defame, stalk, abuse, or harass other persons...

        If you do not agree to these Terms, you should immediately stop using the Services.
        TechNickle
  • The vulnerability under attack - now fixed today with the MS12-027 bulletin

    For this one, it's past time to update.

    It's not just Internet Explorer that's at risk of attack. Microsoft Office 2003, 2007 and 2010 (32-bit) are also at risk. Office 2010 64-bit is not at risk. Protected view for Microsoft Office is only available for Office 2010 on either Windows Vista or 7. And are there any broker processes for Office 2010 on Vista/7?

    And don't forget Pwn2Own. Medium integrity level access to one's user account is checkmate. After all, that's where the data are at.

    From the link to the MS12-027 bulletin:

    "Mitigating Factors
    "The malicious file could be sent as an email attachment, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability.
    "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

    "Workarounds
    "Do not open Microsoft Office or Rich Text Format (.rtf) files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
    Rabid Howler Monkey
  • Ha! See!

    For those who claim ZDNet is all about kicking Apple and Macs around, well here we are! As everyone should know Windows has flaws and ZDNet reports them. And I as a Windows user make no pretense about the fact the flaw does appear to exist and its not good at all.

    Its better to live in reality then simply deny because you foolishly invest all your self esteem in your OS. Windows in every version has never been perfect and will always need patching.
    Cayble
    • See what?

      [i]Its better to live in reality then simply deny because you foolishly invest all your self esteem in your OS.[/i]

      You doing the same thing here? ;)
      ScorpioBlack
  • Double post

    NT
    ScorpioBlack
  • I dont care!

    I got Norton, am safe !
    neeeko
  • Using Windows means living in danger

    I got Linux and i'm totally safe!
    Matsi66
  • All need security but Windows just stands out way too different

    OK, I understand that no system is foolproof and that all need to be diligent with their security upkeeping. I understand that even linux needs to take its security seriously (wait, I'm an Ubuntu user. Don't bash me). I might even reluctantly concede a little, just a little, that the market dominance of Windows has a part in attracting lots of malware authors (even though MS is at fault for starting off with a weak focus on security during the origins of Windows, and is now coming from a tradition of weak grip on security).

    But what I can't help myself smiling at these occasions is Microsoft's dramatic announcements of imminent security risks that are just discovered, mostly soon followed by hounds of attacks that spiral out of control. Even frantic emergency measures taken barely keep MS systems running and not before certain damages are done. Antivirus (oh and while we're at it let's add anti-spyware, anti-rootkit, anti-whatever) never do the trick for you satisfactorily. Windows security risk is just too systematic to escape it and maintain a certain level of safety. Why bother?

    Don't get me wrong, although I'm an avid fan of open-source, I believe that every product has something to offer, that every product has its own strengths and weaknesses, even Windows. But the heightened risky nature of Windows security is just unacceptable. Come on, there's supposed to be a balance for everything, but this is just plain ridiculous.

    If you ask my opinion, if there were to be such a large linux-focused malware attacks, linux users and developers may have to take their security upkeep up a notch, but I seriously doubt we would see anything close to Windows' scale. Windows only recently started adapting security measures that were implemented years ago in linux.

    Of course, from what I'm hearing recently, Macs may have started to compete with Windows with regards to getting caught with their pants down during malware attacks, and they seem to have a great potential. At least Microsoft does its best to react against discovered security risks.
    JOB83
    • Please go into detail.

      [i]Windows security risk is just too systematic to escape it and maintain a certain level of safety.[/i]

      I keep hearing this oft repeated but never supported claim. I've been asking for support for years. Yet it never comes. Perhaps you'll be the first?
      ye
      • If you have Windows...

        you need an antivirus by system if you want to surf the web or read an usb, etc.
        There is no way you are going use a Windows machine without an AV woking, I have been using my computers for 12 years without having to install an AV. I doub a Windows user can say that.
        orendon