April 2012 Microsoft Super Tuesday
Posted by Shane Garrett on April 10, 2012 at 1:27 PM EDT.
Microsoft's April security update for 2012 consists of six bulletins with fixes for eleven CVEs. Four of the bulletins are rated critical and should be patched as soon as possible. CVE-2012-0158, a remote code execution vulnerability covered in MS12-027, was publicly disclosed and should be patched immediately. Following are a closer look at three of the critical vulnerabilities.
- MS12-027 : Vulnerability in MSCOMCTL.OCX Could Allow Remote Code Execution
This bulletin contains the previously mentioned, publicly disclosed remote code execution vulnerability. Four controls in the widely distributed Windows common controls library (MSCOMCTL.OCX) suffer from a memory corruption vulnerability that can be leveraged to run attacker supplied code in the context of the current user. For the curious, these are MSCOMCTL.TreeView, MSCOMCTL.ListView2, MSCOMCTL.TreeView2, and MSCOMCTL.ListView. These controls are implemented in COM/ActiveX and have a correspondingly large attack surface. They can be embedded in Web pages as well as Office document formats like Microsoft Word DOC files, RTF and Microsoft Excel XLS files. The class IDs (CLSIDs) for these controls are going to be kill-bitted as part of the update. The severity of the vulnerability along with the large attack surface and the fact that it has been publicly disclosed means this update should be applied immediately.
- MS12-024 : Vulnerability in Windows Could Allow Remote Code Execution
The title for this bulletin could be clearer. The bulletin covers a vulnerability in the Authenticode code signing technology that could allow for a signed binary's contents to be modified without invalidating the Authenticode signature. Specifically, the flaw is in the function that performs authentication of the signed binary via an embedded signature. An attacker could exploit this vulnerability by modifying a valid, signed executable to include malicious code.
It's easy to dismiss this issue as somewhat irrelevant. If you are downloading and running executables from untrusted sources on the Internet, it's already game over. However, there are serious implications to this vulnerability. If you run a highly secure environment and have locked down installation of any non-signed binaries then exploitation of this vulnerability will completely bypass this protection. Later Windows operating systems also requrie that drivers be signed. An attacker could masquerade their kernel malware rootkit as a legitimate signed boot start driver.
- MS12-023 : Cumulative Security Update for Internet Explorer
Five separate vulnerabilities cumulatively affecting all versions of Internet Explorer were fixed in this update. All of these can be leveraged to gain remote code access. As is typical of IE vulnerabilities, four of these require scripting in order to create an exploit, the other requires manual user interaction (and is only rated as moderate). Code execution bugs in IE bugs are always bad so this update should be certainly be applied.