Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday: Help Is On The Way!

This may sound a bit odd but "nosteve" who usually gives his take on the patch Tuesday release is trapped in an elevator so he has given me the reigns to post today. Lucky for me, this has been an exciting patch Tuesday with 7 bulletins posted, over 20 CVEs and a bunch of vulnerabilities that result in remote execution conditions. Affected products include Microsoft Office, Silverlight and the .Net Framework. Fortunately, Microsoft has patched these vulnerabilities and there is help on the way for those who are affected.


MS12-029 / KB2680352

Vulnerability in Microsoft Word Could Allow Remote Code Execution


RTF Mismatch Vulnerability, CVE-2012-0183

Rich Text Format (RTF) content is the focus of this vulnerability. There's a flaw in the parser used in certain versions of Office that allows system memory corruption and possibly code execution if any exploit researchers can break away from MS12-020 long enough to try this one out.

Among the vulnerable versions are Office 2003/2007 for Windows, and 2008/2011 for Mac. Office 2010 and Word Viewer for Windows are not vulnerable, and of course Works 9.0 is completely impenetrable.


Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution


Excel File Format Memory Corruption Vulnerability, CVE-2012-0141

Excel File Format Memory Corruption in OBJECTLINK Record Vulnerability, CVE-2012-0142

Excel Memory Corruption Using Various Modified Bytes Vulnerability, CVE-2012-0143

Excel SXLI Record Memory Corruption Vulnerability, CVE-2012-0184

Excel MergeCells Record Heap Overflow Vulnerability, CVE-2012-0185

Excel Series Record Parsing Type Mismatch Could Result in Remote Code Execution Vulnerability, CVE-2012-1847

All the CVEs mentioned here for Excel are caused by a lack of validation in the file structure that can result in remote code execution conditions. CVE-2012-0143 only affects Office 2003 and Microsoft Office 2008 for Mac. However, the rest of the CVE's affect many more versions including Microsoft Office 2010 and the Microsoft Viewer editions.

MS12-031/ KB2597981

Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution


VSD File Format Memory Corruption Vulnerability, CVE-2012-0018

This one goes to all who have downloaded the free edition of Visio (Visio Viewer) for the viewing pleasure of opening a drawing, chart or illustration. This software has a memory access vulnerability, which potentially could allow remote execution of code. However, it would require the users to open a drawing file that been specially crafted to exploit this vulnerability.

So far, I haven't seen yet a spam campaign where malicious Visio files are distributed over the Internet because seriously who opens network diagrams from someone who you don't know. However, potentially an attacker could post a malicious Visio document to a website posing as a sample. So beware! Users who have obtained the full version of Microsoft Visio are not affected.


Vulnerability in TCP/IP Could Allow Elevation of Privilege


Windows Firewall Bypass Vulnerability, CVE-2012-0174

The TCP/IP stack (tcpip.sys) is the focus of this vulnerability. The tcpip.sys file is the TCP/IP protocol driver file for Windows. Due to a security-bypass vulnerability in this file, it could potentially allows the ability to bypass the Windows Firewall. Affected systems include Windows Vista, Windows 7, and Windows Server 2008.

TCP/IP Double Free Vulnerability, CVE-2012-0179

Similar to CVE-2012-0174, it also based on a flaw in the TCP/IP stack (tcpip.sys). However, this vulnerability can allow local users to escalate privileges. Additionally, denial-of-service (DoS) conditions can result in instances when the exploit fails.


Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege


Plug and Play (PnP) Configuration Manager Vulnerability, CVE-2012-0178

This one deals with the Windows partition manager, which is does all kinds of nifty stuff like creating, deleting and resizing partitions for the Windows platform. The root cause of CVE-2012-0178 is based on a improper handeling flaw during Plug and Play (PnP) Configuration function calls.

Since the Windows partition manager component is common in the Windows platform, this privilege escalation vulnerability affects many OS versions. It affects Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. Fortunately, the attacker would need to already have login credentials in order to exploit this vulnerability. However, it is still a big deal since this flaw can result in code execution.

MS12-034 / KB2681578

Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight


The bulletin for this one is huge, like really, really long. If you printed it out you would probably decimate a small forest. The reason is that it affects multiple technologies including Windows itself, Office, Silverlight and .NET. With 10 CVE's, it's almost more like a service pack than a one-off security bulletin.

Office for Mac is not affected by these issues, nor is .NET 3.5. Neither is Works 9.0, but you already knew that.

TrueType Font Parsing Vulnerability, CVE-2011-3402

TrueType Font Parsing Vulnerability, CVE-2012-0159

The TrueType ones deal with vulnerabilities related to opening malicious TTF files. This could happen via a web page if an attacker fooled a user into viewing the content and offered up a malicious font file. We've seen this one before, but according to MSRC that specific vulnerability was mitigated by MS11-087.

These vulnerabilities could also be used for privilege escalation in cases where an attacker has some sort of user access on the system.

.NET Framework Buffer Allocation Vulnerability, CVE-2012-0162

.NET Framework Index Comparison Vulnerability, CVE-2012-0164

The first .NET vulnerability is a client side buffer allocation issue, which comes into play when the web browser encounters XAML Browser Application (XBAP) files and passes them to the .NET runtime.

2012-0164 is a denial-of-service issue that is more server-targeted. An attacker targeting this vulnerability would take advantage of a flaw in .NET when comparing an index value. The goal would be to cause WPF to stop responding. According to the bulletin, this is not memory corruption and doesn't offer code execution possibilities.

There are no reports of either of these vulnerabilities being targeted in the wild at time of release.

GDI+ Record Type Vulnerability, CVE-2012-0165

GDI+ Heap Overflow Vulnerability, CVE-2012-0167

These deal with GDI+, the component responsible for 2D rendering in Windows. They are very similar: both describe malicious Enhanced Metafiles (EMF) and how they could be used to execute code on a vulnerable system via GDI+. Between the two, they outline attack vectors across Internet Explorer, email clients, and Office. No exploits in the wild yet on this one either, as far as we know.

Silverlight Double-Free Vulnerability, CVE-2012-0176

Double-free issues are always interesting; this happens when memory is freed multiple times and it can sometimes lead to code execution because of the resulting corruption. In this case, the attacker needs to embed malicious XAML glyphs, an artifact that Silverlight will process and render to the screen. This will usually cause the application to crash, but if things line up right it could put executable code on the stack, hence the Remote Code Execution concern. There's nothing being seen in the wild to confirm this, however.

Windows and Messages Vulnerability, CVE-2012-0180

Keyboard Layout File Vulnerability, CVE-2012-0181

Scrollbar Calculation Vulnerability, CVE-2012-1848

Unlike several others in this bulleting, these are local privilege escalation vulnerabilities – an attacker would need some sort of local account to use them. They deal with various flaws in the way that win32k.sys handles user input and could allow a malicious local use to obtain system-level access. Exploitation would occur via a specially crafted application loaded onto the system.

The Keyboard Layout File vulnerability in particular has been publically disclosed previously, but no attacks in the wild have been spotted yet.

MS12-035 / KB2693777

Vulnerabilities in .NET Framework Could Allow Remote Code Execution


.NET Framework Serialization Vulnerability, CVE-2012-0160

.NET Framework Serialization Vulnerability, CVE-2012-0161

Unrelated to the vulnerabilities described in MS12-034, these .NET vulnerabilities affect all versions of .NET. In this case, an attacker can send serialized objects (program data that is converted to a format that is suitable for transmission) to a .NET instance and get certain untrusted data treated as trusted.

This could affect clients downloading malicious code, as well as server applications that accept serialized data in some form from users. In the latter case, an attack here has the potential to bypass Code Access Security (CAS), a counter-measure built into the .NET framework.

Currently, the SpiderLabs Vulnerability Assessment Team is evaluating both of these vulnerabilities in order to provide detection in the TrustKeeper vulnerability scanning solution .

Final Comments

This has been a bit long of a post, but hopefully you have found it to be helpful. Good luck to all installing the latest Microsoft security updates and good luck to "nosteve" for escaping the elevator safely.

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More