Microsoft issued a major browser security update, repairing critical Internet Explorer flaws as part of its April 2012 Patch Tuesday. The April update also repairs a serious ActiveX control affecting a wide-ranging number of products being actively targeted by attackers via browser-based attacks.
Once this is released and the attackers have the ability to reverse engineer the patch, they’ll look to find out what is changed in the code and point to the vulnerable sections.
Don DeBolt, director of threat research, Total Defense Inc.
The software giant issued six security bulletins Tuesday, including four rated “critical” and two rated “important,” addressing 11 vulnerabilities across its product line. The critical IE update was given the top priority by Microsoft. It affects all versions of Internet Explorer, resolving five vulnerabilities that could be used by cybercriminals in drive-by attacks to gain the same user rights as the victim. The update is rated “moderate” for IE running on Windows servers.
“Once this is released and the attackers have the ability to reverse engineer the patch, they’ll look to find out what is changed in the code and point to the vulnerable sections,” said Don DeBolt, director of threat research at Hauppauge, NY-based endpoint security vendor Total Defense Inc. “Within days they should be able to craft an exploit.”
DeBolt said it won’t be hard for attackers to get an exploit targeting the vulnerabilities in front of victims. Spear phishing attacks using malicious links or search engine poisoning are common ways to trip up end users into visiting a malicious website, he said.
ActiveX control error being actively targeted
A critical bulletin that addresses a Windows Common Controls ActiveX control is also a serious issue, according to Wolfgang Kandek, CTO of vulnerability management vendor Qualys Inc.
Microsoft said the update disables the vulnerable version of the Windows Common Controls and replaces it with a new version. It also released a Knowledge Base Article detailing common issues that could be encountered when deploying the update. The ActiveX control update affects Office 2003 through 2010 on Windows, SQL Server 2000 through 2008, BizTalk Server 2002 and Commerce Server 2002 through 2009. It is also repaired in Microsoft’s development tools, Visual FoxPro 8 and Visual Basic 6 Runtime.
In a blog entry, Kandek said the update affects an unusually wide-range of Microsoft products. The flaw can be targeted remotely by getting a victim to visit a malicious website targeting the ActiveX control.
“Attackers have been embedding the exploit for the underlying vulnerability CVE-2012-0158 into an RTF document and enticing the target into opening the file, most commonly by attaching it to an email,” Kandek said. “Another possible vector is through Web browsing, but the component can potentially be attacked through any of the mentioned applications.”
Microsoft also issued a fix to a critical vulnerability affecting all versions of Windows. The WinVerifyTrust Signature Validation vulnerability affects the Windows function used for portable executable (PE) files. A savvy attacker could modify an existing signed executable file without invalidating the signature, allowing the complete control of an affected system.
The last critical bulletin addresses a serious vulnerability in Microsoft’s .NET Framework. The update affects all supported versions of the .NET Framework. The parameter validation flaw is an error in the way the framework validates parameters when passing data to a function. The flaw can be used by attackers to target .NET applications. It can be used to set up drive-by attacks by embedding malicious code in Web advertisements or forums, Microsoft said.
Finally, Microsoft issued two bulletins rated “important,” repairing two flaws in its Unified Access Gateway and a flaw in Microsoft Office and Microsoft Works. A memory error exists in the Office Works File Converter. The flaw affects Office 2007 and Works 9. Meanwhile, the UAG flaws could allow an unauthenticated user to access the default website of the Microsoft UAG server from the external network.