Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday: IE, Common Control, and Digitized Chuck Yeager

For those of you that remember Microsoft Works, today's update will be special for you. Finally, those of us who felt jilted by Office's superiority complex all these years can have our revenge. MS12-028 confirms it: Works is an Office killer, literally. OK, so it's buried at the bottom of the update, and sure there are 4 critical vulns across Windows and IE, but the Works thing got me all fired up about old computers.

Works was like some kind of Microsoft Office "Lite" edition, but with all the apps wrapped up in a single program. Works included a word processor, spreadsheet, calendar, and even a database for cataloging your 8-track collection. I remember first seeing this impressive software engineering achievement on a shiny new IBM PS/1 that the kid down the street got. This machine was IBM's next foray into the whipper-snapper world of "personal computers" after the Charlie Chaplin PCjr debacle.

12396_e84b6bb2-03dd-4b02-89ea-d9b23e0a303b

They also had some kind of flight simulator with Chuck Yeager in it, where he would tell you how terrible you were when you crashed into the ground. Which happened about 100% of the time. Actually I think Major General Yeager practically invented the "DOING IT WRONG" meme, in addition to his other aeronautical achievements.

And with that in mind, this Patch Tuesday is dedicated to Digitized Chuck "Ace-in-a-Day" Yeager, motivational speaker and fastest man alive.

MS12-023 / KB2675157

Vulnerability in Windows Common Controls Could Allow Remote Code Execution

Critical

JScript9 Remote Code Execution Vulnerability, CVE-2012-0169

OnReadyStateChange Remote Code Execution Vulnerability, CVE-2012-0170

VML Style Remote Code Execution Vulnerability, CVE-2012-0171

selectAll Remote Code Execution Vulnerability, CVE-2012-0172

MS12-023 is rated as a critical update since it can allow remote code execution if a user views a specially crafted webpage with Internet Explorer. This can give an attacker the same system privileges as the current user. This cumulative update for IE doesn't fix just one but five different security vulnerabilities in the age-old browser affecting everything from IE 6 on Windows XP up to and including IE 9 on Windows Server 2008 x64 SP1. Four of those five vulnerabilities will allow RCE, and considering the severity, it is definitely something to pay attention to. If you have automatic update enabled you should be all set as this will install automatically. If you don't use automatic update this is one update you want to get installed quickly.

Malware targeting this vulnerability can be detected from at the network level. Trustwave IDS and UTM are being updated to detect this activity.

Digitized Chuck Yeager says:

10990_a335cd23-9634-45ef-ad28-71f7832d47eb

MS12-027 / KB2664258

Vulnerability in Windows Common Controls Could Allow Remote Code Execution

Critical

MSCOMCTL.OCX RCE, CVE-2012-0158

Windows Common Controls is a foundational visual library for displaying things like dialog boxes and tree views. MSCOMCTL.OCX is an ActiveX control that ties into this functionality, and it's pretty common across applications such as SQL Server, Office, and VB applications. This flaw allows code execution in the context of a user that encounters targeted malicious content. This could be delivered via a webpage, email, or even digitized picture of Chuck Yeager.

Microsoft has advised us that this exploit is being exploited in the field, so it's an especially important update. Also expect network detection signatures of this threat to surface, including those used by Trustwave IDS and UTM.

Digitized Chuck Yeager says:

10617_91f33b26-098b-467c-bee6-4f5a26a7fab8

MS12-024 / KB2653956

Vulnerability in Windows Could Allow Remote Code Execution

Critical

WinVerifyTrust Signature Validation Vulnerability, CVE-2012-0151

This one involves Portable Executable files and Windows versions from XP SP3 through Windows 7 and even Server 2008 R2 for Itanium SP1 (in other words, pretty much all of them). A Portable Executable is a file format used for executables, object code and DLLs. If you are able to create a PE just right then you might be able gain remote code execution on a target system. It is also possible to append an existing PE file with malicious code and not change the signature. An attacker can then email the PE file to a targeted user and get them to open it or trick a user into visiting a webpage and downloading it, possibly disguised as a media player or other file. The update modifies how Authenticode Signature Verification (you might know it as WinVerifyTrust) verifies portable execution files. Of course making such a modification may cause some valid PE files to become 'unsigned', most likely installer files in which case the files will need to be resigned by their authors. Obviously this is a critical update and should be applied to all systems.

Digitized Chuck Yeager says:

10470_8ae7a235-fdc0-481d-98e1-900f0a8d3fc1

MS12-025 / KB2671605

Vulnerability in .NET Framework Could Allow Remote Code Execution

Critical

.NET Framework Parameter Validation Vulnerability, CVE-2012-0163

This is a parameter violation vulnerability, and it's a pretty big deal because it can get an attacker full access to the system and affects all versions of .NET. It affects both client and server scenarios via web browsing and ASP.NET, respectively. The browsing scenario is centered on XAML browser applications in IE, which interfaces with the .NET runtime. We don't think about .NET in this context very often, so it's important to call it out – it's a problem for everyone with .NET, which covers the gamut of Windows users.

Digitized Chuck Yeager says:

10697_9513b7cc-6f5e-4c1c-a8e7-b77098e0a9f1

MS12-026 / KB2663860

Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure

Important

Unfiltered Access to UAG Default Web Site, CVE-2012-0147

You can think of Forefront Unified Access Gateway as sort of a real fancy VPN that basically offers remote access on managed and unmanaged PCs and mobile devices to people inside and outside of an organization -- mainly vendors and partners. This update actually fixes two vulnerabilities with the product. The most severe one could allow an attacker to recover information from a UAG server if it receives a specially crafted query. The update changes UAG to require additional authorization and prevents unfiltered access to internal resources. Microsoft is labeling this update only as moderate but if you are running Forefront doesn't mean you shouldn't install the patch anyway.

Digitized Chuck Yeager says:

12681_f3bddc6b-cc6a-4b14-a807-edbaf37346f9

MS12-028 / KB2639185

Vulnerability in Microsoft Office Could Allow for Remote Code Execution

Important

Office WPS Converter Heap Overflow Vulnerability, CVE-2011-3398

The vulnerability that started this whole bizarre theme, which isn't even making any sense at this point. It's a flaw appears when importing Works word processing files into Office, so it might be a little rare, but it could end up being used in an email attack since .wps will be automatically handled by Office. All kidding aside, there's more to this than disgruntled PS/1 users and it's worth getting this taken care of. Might even be worth blocking the .wps extension altogether, unless you're in the 8-track business.

Digitized Chuck Yeager says:

8947_42dca8c3-03c9-4f10-a805-f09279b5a391

Who indeed, Major General. Who, indeed?

Thanks to Space Rogue for all his research help, and for putting up with whatever this is.

Latest SpiderLabs Blogs

Ukrainian Intelligence Claims Successful Compromise of the Russian Ministry of Defense

On March 4, 2024, the Telegram channel of the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) was updated with assertions that they executed a successful cyberattack...

Read More

Cost Management Tips for Cyber Admins

As anyone who has filled out an expense report can tell you, cost management is everyone's responsibility. Organizations must apply a careful balance of budget planning and expenditures that are in...

Read More

Resurgence of BlackCat Ransomware

Updated March 8: Based on our experience, we believe that BlackCat's claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after...

Read More