BeyondTrust Patch Tuesday
April 10, 2012
Microsoft Patch Summary
This month, Microsoft released six bulletins that fix a total of eleven vulnerabilities. Of these vulnerabilities, there are nine remote code execution vulnerabilities and two information disclosure vulnerabilities.
Patch MS12-023, MS12-024, MS12-025, and MS12-027 immediately to prevent exploitation by attackers. Patch MS12-026 and MS12-028 as soon as possible. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The eEye Research Team
- Date/Time:
Wednesday, April 11th
1pm PT / 4pm ET / 9pm GMT
BULLETIN / ADVISORY DETAILS
MS12-023
Cumulative Security Update for Internet Explorer (2675157)
Microsoft Rating:
CVE List:
CVE-2012-0168, CVE-2012-0169, CVE-2012-0170, CVE-2012-0171, and CVE-2012-0172
Analysis:
This bulletin addresses five privately reported remote code execution vulnerabilities in Internet Explorer. The patch fixes a print feature, JScript9, the OnReadyStateChange function, the SelectAll function, and an issue with VML styles. An attacker that successfully exploited one of these vulnerabilities would gain user level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers, since no mitigation is available for CVE-2012-0168. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.
MS12-024
Vulnerability in Windows Could Allow Remote Code Execution (2653956)
Microsoft Rating:
CVE:
CVE-2012-0151
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Windows. The patch fixes how the validation routine of the Windows Authentication Signature Verification mechanism checks the digest of certain PE files. An attacker that successfully exploited this vulnerability would be able to make a malicious PE file appear to be legitimate. This could be used to more easily convince users to trust and execute malicious PE files.
Recommendation:
Install the patch immediately to prevent exploitation by attackers, since no mitigation is available.
MS12-025
Vulnerability in .NET Framework Could Allow Remote Code Execution (2671605)
Microsoft Rating:
CVE:
CVE-2012-0163
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in the .NET Framework. The patch fixes how the .NET Framework validates parameters that are passed to a function. An attacker that successfully exploited this vulnerability would gain access to the target machine under the context of the exploited .NET Framework application, such as user context for web browsers that run a malicious XAML application.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block XAML browser applications from running in Internet Explorer.
MS12-026
Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure (2663860)
Microsoft Rating:
CVE List:
CVE-2012-0146 and CVE-2012-0147
Analysis:
This bulletin addresses two privately reported information disclosure vulnerabilities in Forefront Unified Access Gateway (UAG). The patch fixes a blind HTTP redirect vulnerability that would allow an attacker to spoof a UAG interface, which would be useful in a scenario where an attacker could harvest usernames and passwords from unsuspecting users that thought that they were logging into a real UAG interface. The patch also fixes an information disclosure vulnerability that exists with default UAG websites, which would allow an attacker to access data on the site from an external location.
Recommendation:
Deploy patches as soon as possible; no mitigation is available.
MS12-027
Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)
Microsoft Rating:
CVE:
CVE-2012-0158
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in Windows Common Controls. Limited attacks that exploit this vulnerability have been reported. The patch fixes MSCOMCTL.OCX, which allows system state corruption when being used in Internet Explorer in certain circumstances. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, use the registry to set killbits for the vulnerable controls. Additionally, do not open any Microsoft Office or Rich Text Format documents that come from untrusted sources.
MS12-028
Vulnerability in Microsoft Office Could Allow Remote Code Execution (2639185)
Microsoft Rating:
CVE:
CVE-2012-0177
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Office. The patch fixes heap overflow vulnerability that occurs when parsing specially crafted .WPS files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Deploy patches as soon as possible. Until the patch can be applied, do not open Works files (.WPS extension) that come from untrusted sources.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.