Microsoft Fixes Critical Vulnerability in Windows Common Controls
April's Patch Tuesday update delivers six bulletins -- including a critical fix for a core flaw that affects a long list of Microsoft applications.
The first Tuesday of every month, Microsoft patches its applications in a regular security update. Typically, Patch Tuesday update bulletins address issues that affect specific Microsoft applications. But in the April update issued today, Microsoft is patching a core flaw that affects a long list of Microsoft applications. The flaw could potentially put third-party applications at risk as well.
All told, the April Patch Tuesday update delivers six bulletins -- four of which are rated as critical, including MS12-027.
MS12-027 is a critical vulnerability in Windows Common Controls. Qualys CTO Wolfgang Kandek explained to eSecurity Planet that MS12-027 affects MSCOMCTL.OCX, which provides a number of common controls including graphics, buttons, etc.
"Many programs use it because of the comfortable functionality it brings and install a copy on the system when it is needed," Kandek said. "With so many programs using it we think that many machines will be affected."
Kandek noted that Microsoft packages are all mapped out to identify and fix the vulnerability, but third party applications will be the problem. In his view, any programs written in Visual Basic will install a copy and could potentially be at risk.
"We were surprised at the breadth of the vulnerability, but look at it as being similar to the DLL pre-loading attacks," Kandek said. "Very generic and probably very widely spread."
From Microsoft's perspective, the core controls are used across multiple Microsoft applications including Office, SQL Server, BizTalk, Commerce Server, Visual FoxPro, and Visual Basic.
"The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability," Microsoft's advisory states. "The security update addresses the vulnerability by disabling the vulnerable version of the Windows common controls and replacing it with a new version that does not contain the vulnerability."
Five IE Vulnerabilities
The April update also includes five separate Internet Explorer vulnerabilities that have been grouped together in the MS12-023 bulletin.
"The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles the printing of specially crafted HTML content and the way that Internet Explorer handles objects in memory," Microsoft's bulletin states.
Remote Code Execution
There are two separate bulletins (MS12-024 and MS12-025) that fix different remote code execution flaws. MS12-024 blocks the ability for a signed portable executable (PE) file from enabling remote code execution.
"This vulnerability is perfect for attackers to weaponize legitimate executables, but in reality if users are allowed to execute arbitrary executables they most likely have bigger issues than this bulletin," Carey said.
With MS12-025, Microsoft is blocking remote code execution for .NET Framework users.
"The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs)," Microsoft warned.
March 13, 2012
This month's update from Redmond includes six security advisories, but a pair of IE zero-day exploits demonstrated at last week's Pwn2Own hacking contest remain unpatched.