Microsoft Delivers 6 Out Of Band High Priority Security Updates

The New Acunetix V12 Engine


Now it was only last month when everyone was wrapped up in the MS12-020 RDP Exploit Code In The Wild issue.

As it turns out, Microsoft have been hiding some more serious security issues under the carpet. Apparently attackers are already exploiting the MS12-027 flaw in ActiveX in the wild – although Microsoft of course say there have been only ‘limited attacks’.

It’s a fair old bundle of updates and it must be serious if they are pushing an out of band patch and not just waiting for the next patch Tuesday (which is what they normally do).

Microsoft today delivered six security updates to patch 11 vulnerabilities in Windows, Internet Explorer (IE), Office and several other products, including one bug that attackers are already exploiting. The company also issued the first patch for Windows 8 Consumer Preview, the beta-like build Microsoft released at the end of February.

But it was MS12-027 that got the most attention today.

“Things got a bit more interesting today,” said Andrew Storms, director of security operations at nCircle Security, “because Microsoft is reporting limited attacks in the wild.”

Flaws that attackers exploit before a patch is available are called “zero-day” vulnerabilities. The single vulnerability patched in MS12-027 is in an ActiveX control included with every 32-bit version of Office 2003, 2007 and 2010; Microsoft also called out SQL Server, Commerce Server, BizTalk Server, Visual FoxPro and Visual Basic as needing the patch.

Storms, other security experts and Microsoft, too, all identified MS12-027 as the first update users should install.

Hackers are already using the vulnerability in malformed text documents, which when opened either in Word or WordPad — the latter is a bare bones text editor bundled with every version of Windows, including Windows 7 — can hijack a PC, Microsoft acknowledged in a post to its Security Research & Defense (SRD) blog today.

Now the good thing is, the flaw is not a remote access type exploit – meaning someone can’t hack you over the network with this. But it is serious as you can be jacked by opening a malformed document, which I assume would contain some type of ActiveX control.

Even so, it’s classed as remote code execution – which means if an attacker can get you to open the document in a browser – you’re owned.

There have been a lot of flaws like this (usually in Adobe Reader) and they have caused a fair amount of havoc, so tell whoever you know that’s running Windows to get their Windows Update on ASAP.


“We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of [the] CVE-2012-0158 vulnerability using specially-crafted Office documents,” said Elia Florio, an engineer with the Microsoft Security Response Center, in the SRD blog post.

Microsoft did not disclose when it first became aware of the attacks, or who reported the vulnerability to its security team.

Storms speculated that an individual or company had been attacked, uncovered the bug and notified Microsoft. Microsoft rarely deploys a patch “out of cycle,” meaning outside its usual second Tuesday of every month schedule. The last such update was shipped in December 2011, and was the first for that year.

Also affected is software written by third-party developers who have bundled the buggy ActiveX control with their code or called it. Those developers will have to provide their own updates to customers.

“Any developer that has released an ActiveX control should review the information for this security bulletin,” said Jason Miller, manager of research and development at VMware. “These developers may need to release updates to their own software to ensure they are not using a vulnerable file in their ActiveX control.”

Attackers can also exploit this bug using “drive-by download” attacks that automatically trigger the vulnerability when IE users browse to a malicious site, Microsoft admitted.

And well if anyone is using Internet Exploder Explorer still – they are in trouble anyway.

The scary part is, 8 out of the 11 issues patched with this update were marked as Critical and it effects IE9 – the latest version of the Microsoft browser.

You can read the original Microsoft advisory here – Microsoft Security Bulletin MS12-027 – Critical – note they have marked this as a Critical issue.

Source: Network World

Posted in: Exploits/Vulnerabilities, Windows Hacking

, , , , ,


Latest Posts:


HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.
NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.
Metta - Information Security Adversarial Simulation Tool Metta – Information Security Adversarial Simulation Tool
Metta is an information security preparedness tool in Python to help with adversarial simulation and assess security defense preparation and alerts.


2 Responses to Microsoft Delivers 6 Out Of Band High Priority Security Updates

  1. Thomas in Sweden April 12, 2012 at 1:21 pm #

    Is this really “out-of-band”? I thought the second Tuesday of the month was the ordinary “patch Tuesday”.

    • Darknet April 12, 2012 at 3:43 pm #

      Yah, actually I think you’re right..it was Patch Tuesday anyway. My bad!