Now it was only last month when everyone was wrapped up in the MS12-020 RDP Exploit Code In The Wild issue.
As it turns out, Microsoft have been hiding some more serious security issues under the carpet. Apparently attackers are already exploiting the MS12-027 flaw in ActiveX in the wild – although Microsoft of course say there have been only ‘limited attacks’.
It’s a fair old bundle of updates and it must be serious if they are pushing an out of band patch and not just waiting for the next patch Tuesday (which is what they normally do).
Microsoft today delivered six security updates to patch 11 vulnerabilities in Windows, Internet Explorer (IE), Office and several other products, including one bug that attackers are already exploiting. The company also issued the first patch for Windows 8 Consumer Preview, the beta-like build Microsoft released at the end of February.
But it was MS12-027 that got the most attention today.
“Things got a bit more interesting today,” said Andrew Storms, director of security operations at nCircle Security, “because Microsoft is reporting limited attacks in the wild.”
Flaws that attackers exploit before a patch is available are called “zero-day” vulnerabilities. The single vulnerability patched in MS12-027 is in an ActiveX control included with every 32-bit version of Office 2003, 2007 and 2010; Microsoft also called out SQL Server, Commerce Server, BizTalk Server, Visual FoxPro and Visual Basic as needing the patch.
Storms, other security experts and Microsoft, too, all identified MS12-027 as the first update users should install.
Hackers are already using the vulnerability in malformed text documents, which when opened either in Word or WordPad — the latter is a bare bones text editor bundled with every version of Windows, including Windows 7 — can hijack a PC, Microsoft acknowledged in a post to its Security Research & Defense (SRD) blog today.
Now the good thing is, the flaw is not a remote access type exploit – meaning someone can’t hack you over the network with this. But it is serious as you can be jacked by opening a malformed document, which I assume would contain some type of ActiveX control.
Even so, it’s classed as remote code execution – which means if an attacker can get you to open the document in a browser – you’re owned.
There have been a lot of flaws like this (usually in Adobe Reader) and they have caused a fair amount of havoc, so tell whoever you know that’s running Windows to get their Windows Update on ASAP.
“We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of [the] CVE-2012-0158 vulnerability using specially-crafted Office documents,” said Elia Florio, an engineer with the Microsoft Security Response Center, in the SRD blog post.
Microsoft did not disclose when it first became aware of the attacks, or who reported the vulnerability to its security team.
Storms speculated that an individual or company had been attacked, uncovered the bug and notified Microsoft. Microsoft rarely deploys a patch “out of cycle,” meaning outside its usual second Tuesday of every month schedule. The last such update was shipped in December 2011, and was the first for that year.
Also affected is software written by third-party developers who have bundled the buggy ActiveX control with their code or called it. Those developers will have to provide their own updates to customers.
“Any developer that has released an ActiveX control should review the information for this security bulletin,” said Jason Miller, manager of research and development at VMware. “These developers may need to release updates to their own software to ensure they are not using a vulnerable file in their ActiveX control.”
Attackers can also exploit this bug using “drive-by download” attacks that automatically trigger the vulnerability when IE users browse to a malicious site, Microsoft admitted.
And well if anyone is using Internet
Exploder Explorer still – they are in trouble anyway.
The scary part is, 8 out of the 11 issues patched with this update were marked as Critical and it effects IE9 – the latest version of the Microsoft browser.
You can read the original Microsoft advisory here – Microsoft Security Bulletin MS12-027 – Critical – note they have marked this as a Critical issue.
Source: Network World