Critical Microsoft Update (MS12-027) for Microsoft Office
by Carol~ - 4/11/12 11:28 AM
"MS12-027: Enhanced protections regarding ActiveX controls in Microsoft Office documents"
From the Security Research & Defense Blog:
Security Update MS12-027 addresses a code execution vulnerability in MSCOMCTL.OCX, the Windows Common Controls ActiveX control. By default, this component is included with all 32-bit versions of Microsoft Office. We'd like to cover the following topics in this blog post:
• Limited, targeted attacks leveraging this vulnerability
• Mitigations in recent versions of Office to reduce the risk
• Extra protections to block all or specific ActiveX controls in Office documents
• The new Office 2010 kill bit feature
Limited, targeted attacks leveraging this vulnerability
We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of CVE-2012-0158 vulnerability using specially crafted Office documents as exploit vector. The specific samples that we have seen have been RTF files attempting to exploit the vulnerability when opened in either WordPad or Microsoft Word. People who install the MS012-027 patch are protected against CVE-2012-0158 so we recommend applying the update right away. Microsoft Word includes various on-by-default mitigations and optional security hardening features that you might consider enabling. Read on to find out more.
Microsoft Word 2010 Protected View as a mitigation
By default, Microsoft Office 2010 opens documents originating from the Internet and from other potentially unsafe locations in a mode called Protected View. This mode does not allow ActiveX controls to load. If a victim running Office 2010 were to receive an exploit for CVE-2012-0158 over the internet or via email, the victim would need to click the Protected View's "Enable Editing" button before the malicious code would be allowed to run. The screenshots below show two examples of Protected View. [Screenshot]
Disabling ActiveX controls in Microsoft Office
ActiveX-based attacks with documents are not new. In this blog we have covered the Behavior of embedded ActiveX controls in Microsoft Office documents (http://blogs.technet.com/b/srd/archive/2009/03/03/behavior-of-activex-controls-embedded-in-office-documents.aspx) three years ago, giving good advice and best practices on how to restrict (or disable) the initialization of embedded controls.
Without going into the details of the previous blog, we'll just mention once more that Office 2007 and 2010 editions have a dedicated panel for ActiveX controls in Trust Center Settings which allows, in its safest configuration, to completely disable all controls embedded in documents or to prompt a warning dialog when a document tries to use certain type of controls as showed by the following picture. [Screenshot]
Continued : http://blogs.technet.com/b/srd/archive/2012/04/10/ms12-027-enhanced-protections-regarding-activex-controls-in-microsoft-office-documents.aspx
See "Affected Software" in Microsoft Security Bulletin MS12-027: http://technet.microsoft.com/en-us/security/bulletin/ms12-027