Microsoft Fixes Critical Vulnerability in Windows Common Controls

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The first Tuesday of every month, Microsoft patches its applications in a regular security update. Typically, Patch Tuesday update bulletins address issues that affect specific Microsoft applications. But in the April update issued today, Microsoft is patching a core flaw that affects a long list of Microsoft applications. The flaw could potentially put third-party applications at risk as well.

All told, the April Patch Tuesday update delivers six bulletins -- four of which are rated as critical, including MS12-027.

MS12-027 is a critical vulnerability in Windows Common Controls. Qualys CTO Wolfgang Kandek explained to eSecurity Planet that MS12-027 affects MSCOMCTL.OCX, which provides a number of common controls including graphics, buttons, etc.

"Many programs use it because of the comfortable functionality it brings and install a copy on the system when it is needed," Kandek said. "With so many programs using it we think that many machines will be affected."

Kandek noted that Microsoft packages are all mapped out to identify and fix the vulnerability, but third party applications will be the problem. In his view, any programs written in Visual Basic will install a copy and could potentially be at risk.

"We were surprised at the breadth of the vulnerability, but look at it as being similar to the DLL pre-loading attacks," Kandek said. "Very generic and probably very widely spread."

From Microsoft's perspective, the core controls are used across multiple Microsoft applications including Office, SQL Server, BizTalk, Commerce Server, Visual FoxPro, and Visual Basic.

"The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability," Microsoft's advisory states. "The security update addresses the vulnerability by disabling the vulnerable version of the Windows common controls and replacing it with a new version that does not contain the vulnerability."

Five IE Vulnerabilities

The April update also includes five separate Internet Explorer vulnerabilities that have been grouped together in the MS12-023 bulletin.

Rapid7 security researcher Marcus Carey noted that this update should be the top priority for organizations as users could be compromised by drive-by exploits from web pages with specially-crafted malicious content. The five vulnerabilities covered in this bulletin include one that could potentially enable an attacker to execute arbitrary code on a user's PC if the user attempts to print a maliciously crafted web page. There is also a JavaScript flaw that could have enabled an attacker to access an object that has already been deleted in an attempt to execute arbitrary code.

"The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles the printing of specially crafted HTML content and the way that Internet Explorer handles objects in memory," Microsoft's bulletin states.

Remote Code Execution

There are two separate bulletins (MS12-024 and MS12-025) that fix different remote code execution flaws. MS12-024 blocks the ability for a signed portable executable (PE) file from enabling remote code execution.

"This vulnerability is perfect for attackers to weaponize legitimate executables, but in reality if users are allowed to execute arbitrary executables they most likely have bigger issues than this bulletin," Carey said.

With MS12-025, Microsoft is blocking remote code execution for .NET Framework users.

"The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs)," Microsoft warned.

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com, the news service of the IT Business Edge Network. Follow him on Twitter: @TechJournalist.