Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday: IE, Common Control, and Digitized Chuck Yeager

For those of you that remember Microsoft Works, today's update will be special for you. Finally, those of us who felt jilted by Office's superiority complex all these years can have our revenge. MS12-028 confirms it: Works is an Office killer, literally. OK, so it's buried at the bottom of the update, and sure there are 4 critical vulns across Windows and IE, but the Works thing got me all fired up about old computers.

Works was like some kind of Microsoft Office "Lite" edition, but with all the apps wrapped up in a single program. Works included a word processor, spreadsheet, calendar, and even a database for cataloging your 8-track collection. I remember first seeing this impressive software engineering achievement on a shiny new IBM PS/1 that the kid down the street got. This machine was IBM's next foray into the whipper-snapper world of "personal computers" after the Charlie Chaplin PCjr debacle.


They also had some kind of flight simulator with Chuck Yeager in it, where he would tell you how terrible you were when you crashed into the ground. Which happened about 100% of the time. Actually I think Major General Yeager practically invented the "DOING IT WRONG" meme, in addition to his other aeronautical achievements.

And with that in mind, this Patch Tuesday is dedicated to Digitized Chuck "Ace-in-a-Day" Yeager, motivational speaker and fastest man alive.

MS12-023 / KB2675157

Vulnerability in Windows Common Controls Could Allow Remote Code Execution


JScript9 Remote Code Execution Vulnerability, CVE-2012-0169

OnReadyStateChange Remote Code Execution Vulnerability, CVE-2012-0170

VML Style Remote Code Execution Vulnerability, CVE-2012-0171

selectAll Remote Code Execution Vulnerability, CVE-2012-0172

MS12-023 is rated as a critical update since it can allow remote code execution if a user views a specially crafted webpage with Internet Explorer. This can give an attacker the same system privileges as the current user. This cumulative update for IE doesn't fix just one but five different security vulnerabilities in the age-old browser affecting everything from IE 6 on Windows XP up to and including IE 9 on Windows Server 2008 x64 SP1. Four of those five vulnerabilities will allow RCE, and considering the severity, it is definitely something to pay attention to. If you have automatic update enabled you should be all set as this will install automatically. If you don't use automatic update this is one update you want to get installed quickly.

Malware targeting this vulnerability can be detected from at the network level. Trustwave IDS and UTM are being updated to detect this activity.

Digitized Chuck Yeager says:


MS12-027 / KB2664258

Vulnerability in Windows Common Controls Could Allow Remote Code Execution



Windows Common Controls is a foundational visual library for displaying things like dialog boxes and tree views. MSCOMCTL.OCX is an ActiveX control that ties into this functionality, and it's pretty common across applications such as SQL Server, Office, and VB applications. This flaw allows code execution in the context of a user that encounters targeted malicious content. This could be delivered via a webpage, email, or even digitized picture of Chuck Yeager.

Microsoft has advised us that this exploit is being exploited in the field, so it's an especially important update. Also expect network detection signatures of this threat to surface, including those used by Trustwave IDS and UTM.

Digitized Chuck Yeager says:


MS12-024 / KB2653956

Vulnerability in Windows Could Allow Remote Code Execution


WinVerifyTrust Signature Validation Vulnerability, CVE-2012-0151

This one involves Portable Executable files and Windows versions from XP SP3 through Windows 7 and even Server 2008 R2 for Itanium SP1 (in other words, pretty much all of them). A Portable Executable is a file format used for executables, object code and DLLs. If you are able to create a PE just right then you might be able gain remote code execution on a target system. It is also possible to append an existing PE file with malicious code and not change the signature. An attacker can then email the PE file to a targeted user and get them to open it or trick a user into visiting a webpage and downloading it, possibly disguised as a media player or other file. The update modifies how Authenticode Signature Verification (you might know it as WinVerifyTrust) verifies portable execution files. Of course making such a modification may cause some valid PE files to become 'unsigned', most likely installer files in which case the files will need to be resigned by their authors. Obviously this is a critical update and should be applied to all systems.

Digitized Chuck Yeager says:


MS12-025 / KB2671605

Vulnerability in .NET Framework Could Allow Remote Code Execution


.NET Framework Parameter Validation Vulnerability, CVE-2012-0163

This is a parameter violation vulnerability, and it's a pretty big deal because it can get an attacker full access to the system and affects all versions of .NET. It affects both client and server scenarios via web browsing and ASP.NET, respectively. The browsing scenario is centered on XAML browser applications in IE, which interfaces with the .NET runtime. We don't think about .NET in this context very often, so it's important to call it out – it's a problem for everyone with .NET, which covers the gamut of Windows users.

Digitized Chuck Yeager says:


MS12-026 / KB2663860

Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure


Unfiltered Access to UAG Default Web Site, CVE-2012-0147

You can think of Forefront Unified Access Gateway as sort of a real fancy VPN that basically offers remote access on managed and unmanaged PCs and mobile devices to people inside and outside of an organization -- mainly vendors and partners. This update actually fixes two vulnerabilities with the product. The most severe one could allow an attacker to recover information from a UAG server if it receives a specially crafted query. The update changes UAG to require additional authorization and prevents unfiltered access to internal resources. Microsoft is labeling this update only as moderate but if you are running Forefront doesn't mean you shouldn't install the patch anyway.

Digitized Chuck Yeager says:


MS12-028 / KB2639185

Vulnerability in Microsoft Office Could Allow for Remote Code Execution


Office WPS Converter Heap Overflow Vulnerability, CVE-2011-3398

The vulnerability that started this whole bizarre theme, which isn't even making any sense at this point. It's a flaw appears when importing Works word processing files into Office, so it might be a little rare, but it could end up being used in an email attack since .wps will be automatically handled by Office. All kidding aside, there's more to this than disgruntled PS/1 users and it's worth getting this taken care of. Might even be worth blocking the .wps extension altogether, unless you're in the 8-track business.

Digitized Chuck Yeager says:


Who indeed, Major General. Who, indeed?

Thanks to Space Rogue for all his research help, and for putting up with whatever this is.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More