Microsoft on Tuesday fixed a critical vulnerability in a component of Office, SQL Server and other widely deployed applications that attackers already are using in targeted attacks. The flaw in the Microsoft Common Controls component, which was one of the 26 vulnerabilities fixed in nine bulletins issued today, can be exploited remotely and Microsoft said that attackers have been using malicious RTF files sent via email to take advantage of the bug.
The MS12-060 vulnerability is one of four critical bugs that the company fixed as part of the August Patch Tuesday release and it’s considered the most dangerous one at this point. Microsoft said that there are ongoing attacks against the flaw right now.
“The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website. The malicious file could be sent as an email attachment as well, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability,” Microsoft said in its advisory.
Microsoft also released patches for a series of four bugs in the Windows networking components, the most severe of which is a remote, pre-authentication vulnerability in the print sppoler service that the company warns could be fuel for a worm at some point. The flaw is related to the way that the service handles response messages.
“All four vulnerabilities addressed by MS12-054 are client-side parsing issues of malformed RAP responses from the master browser back to a workstation initiating a request. To trigger the vulnerability by sending a malicious response, an attacker would need to either act as a subnet’s master browser or populate the legitimate master browser’s lookup table with malformed records which would be relayed to clients when they request a resource of a certain type,” Jonathan Ness wrote in an analysis of the bug, along with Neil Sikka and Gangadhara Swam of the MSRC Engineering team.
In order for the most severe of the bugs to be exploited by a network worm, several conditions would need to be present, they said.
“However, a fourth vulnerability (CVE-2012-1851) can be triggered by the print spooler service on Windows XP or Windows Server 2003 that polls/queries the master browser every two minutes for a list of shared printers. It would be ‘wormable’ given the following conditions:
- Victim workstations running Windows XP or Windows Server 2003
- Attacker is capable of being elected master browser on the victim’s subnet
OR
Attacker is able to populate the real master browser’s printer list with a malformed record
AND
Print Browsing group policy option is enabled on the real master browser. - Workstation Service (LanMan) running on victim workstation.
- Printer spooler service running on victim workstation.
Every two minutes, the victim’s print spooler service will call the NetServerEnum API to enumerate shared, available printers. This instructs the Workstation service to initiate a RAP request over SMB to the master browser. The master browser could then potentially send back a malformed response which would be passed to the spooler service, triggering the vulnerability.”
The biggest risk from this vulnerability lies with Windows XP users. The more recent versions of Windows, including Windows 7 and Server 2008, are not vulnerable by default.
Among the other flaws fixed this month are four vulnerabilities in Internet Explorer, some of which could be used as part of drive-by download attacks on malicious or compromised Web sites. The company also patched a series of vulnerabilities in Exchange Server that are related to the way that the software handles specific Web pages when they’re opened inside Outlook.
“These vulnerabilities could allow remote code execution as Local System if a user views a specially crafted file through Outlook Web Access in a browser. An attacker who successfully exploited the vulnerabilities could run code on the affected server, but only as LocalService. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network,” the Microsoft advisory for MS12-058 says.
The full list of patches and vulnerabilities is available on the Microsoft TechNet site.
