Microsoft Patches Critical Security Vulnerabilities In Windows, Office, IE, Exchange & SQL Server

Keep on Guard!


Another huge raft of critical fixes has been pushed out by Microsoft across almost their entire range of products, including client and server side software and the Windows OS itself.

It’s been a while since I’ve seen such a huge variety of security issues in one update including 5 critical vulnerabilities.

If you are running a Microsoft oriented organization you better get your update testing rig on-line and get rolling ASAP.

Microsoft has fixed 26 vulnerabilities in its software products, including several considered critical, the company said on Tuesday in its monthly security patch report.

The security holes, described in five critical and four important bulletins, affect multiple products, including Windows, Internet Explorer, Exchange, SQL Server and Office. In the worst-case scenarios, exploits could give attackers control of affected systems.

The first critical bulletin, labeled MS12-060, involves Windows Common Controls vulnerabilities, which affect Office, SQL Server, other server products and developer tools.

There have been “limited, targeted attacks” to try to exploit this security hole, but no public proof-of-concept code has been made available to Microsoft’s knowledge, wrote Microsoft security official Yunsun Wee in a related blog post.

If a user visits a website that contains “specially crafted content” designed to exploit the vulnerability, attackers could execute code remotely on the affected machine. However, users would have to be tricked into visiting such a website. The malicious code can also be sent as an email attachment, but users would need to open the attachment for the attack to work.

Most of them don’t seem to be out in the wild as such, as in they don’t have confirmed publicly available exploits. There have been cases of targeting attacks using these exploits, so they would be very much considered 0-day attacks and are probably being traded or sold in the underground.

The Common Controls exploit would be mitigated against if you had trained your users well on the dangers of opening unknown attachments as it would come in the form of a malicious .rtf file – most likely via e-mail.


Affected products include all supported editions of Office 2003, Office 2007, Office 2010 (except x64-based editions), SQL Server 2000 Analysis Services, SQL Server 2000 (except Itanium-based editions), SQL Server 2005 (except Microsoft SQL Server 2005 Express Edition, but including Microsoft SQL Server 2005 Express Edition with Advanced Services), SQL Server 2008, SQL Server 2008 R2, Commerce Server 2002, Commerce Server 2007, Commerce Server 2009, Commerce Server 2009 R2, Microsoft Host Integration Server 2004 SP 1, Visual FoxPro 8.0, Visual FoxPro 9.0 and Visual Basic 6.0 Runtime.

Microsoft patched a Windows Common Control bug in April that “made everyone sit up and take notice” due to the broad scope of important products it touched, said Andrew Storms, director of security operations at enterprise security vendor nCircle.

“There is some good news this month: that the attack vector associated with the [Windows Common Control] patch is an RTF (rich text format) file, and the victim has to explicitly open the file to allow the exploit. If you can’t get this patch rolled out or mitigation applied quickly, you should remind users about the dangers of opening attachments from unknown persons,” he said via email.

The second critical bulletin, labeled MS12-052, concerns four issues with IE that aren’t known to be under “active attack.” If successfully exploited, a malicious hacker could execute code on the affected machine with the privileges of the current user. As with the previous hole, users would need to visit a malicious Web page to fall victim to the attack. This vulnerability is rated critical for IE 6, IE 7, IE 8 and IE 9 on Windows clients and moderate for those same IE versions on Windows servers.

The more serious vulnerability, which effects Internet Explorer – allow code execution. But from the research done, it seems like these are not being actively attacked.

It’s critical for all versions of IE, including the current version IE9.

Source: Network World

Posted in: Countermeasures, Exploits/Vulnerabilities, Windows Hacking

, , , , , ,


Latest Posts:


Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.
Yuki Chan - Automated Penetration Testing Tool Yuki Chan – Automated Penetration Testing Tool
Yuki Chan is an Automated Penetration Testing Tool that carries out a whole range of standard security auditing tasks automatically.


One Response to Microsoft Patches Critical Security Vulnerabilities In Windows, Office, IE, Exchange & SQL Server

  1. Lavon September 26, 2012 at 10:25 pm #

    whoah this blog is magnifiсent i rеally like rеading youг posts.
    Κeep up the great work! You alrеady know,
    lotѕ of persons are looκing гound
    for this information, you can help them greatly.