Microsoft Security Bulletin Summary for April 2012

Number: AV12-016
Date: 12 April 2012

Purpose

The purpose of this advisory is to bring attention to the monthly Microsoft Security Bulletin Summary for April. The summary covers 6 bulletins (4 Critical, 2 Important), which address 11 vulnerabilities in some Microsoft products.

Assessment

Microsoft has released the following security bulletins:
CCIRC is aware of several proof-of-concepts that exploit some of these vulnerabilities. Special attention should be directed to the vulnerability in MS12-027 which is already being used in a limited and targeted attack.

MS12-023 - Cumulative Security Update for Internet Explorer (2675157)
Details: This security update resolves 5 privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploits any of these vulnerabilities could gain the same user rights as the current user.
The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles the printing of specially crafted HTML content and the way that Internet Explorer handles objects in memory.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Critical
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Temporary
Affected Products: Internet Explorer 6, 7, 8, 9
CVE References: CVE-2012-0168, CVE-2012-0169, CVE-2012-0170, CVE-2012-0171, CVE-2012-0172
http://technet.microsoft.com/en-us/security/bulletin/ms12-023

MS12-024 - Vulnerability in Windows Could Allow Remote Code Execution (2653956)
Details: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. The security update addresses the vulnerability by modifying the way that the Windows Authenticode Signature Verification function performs Windows Authenticode signature verification when verifying portable executable files.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Critical
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Products: Windows XP Service Pack 3, Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems,  Windows Vista Service Pack 2, Windows Vista x64 Edition Service Pack 2, Windows Server 2008 for 32-bit Systems Service Pack 2*,Windows Server 2008 for Itanium-based Systems Service Pack 2, Windows Server 2008 for Itanium-based Systems Service Pack 2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems*, Windows Server 2008 R2 for Itanium-based Systems,  Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
CVE References: CVE-2012-0151,
http://technet.microsoft.com/en-us/security/bulletin/ms12-024

MS12-025 - Vulnerability in .NET Framework Could Allow Remote Code Execution (2671605)
Details: This security update resolves one privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting the manner in which the Microsoft .NET Framework validates parameters when passing data to a function.
Aggregate Severity Rating: Critical
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Products: Microsoft .NET Framework 1.0 Service Pack 3, Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4
CVE References: CVE-2012-0163
http://technet.microsoft.com/en-us/security/bulletin/ms12-025

MS12-026 - Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure (2663860)
Details: This security update resolves 2 privately reported vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG). The more severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted query to the UAG server. This security update is rated Important for Microsoft Forefront Unified Access Gateway 2010 Service Pack 1 and Microsoft Forefront Unified Access Gateway 2010 Service Pack 1 Update 1. The security update addresses the vulnerabilities by modifying UAG code to require further verification before redirecting a user to another website, and by modifying the UAG server's default binding settings to not allow unfiltered access to internal resources.
Maximum Security Impact: Information disclosure
Aggregate Severity Rating: Important
Maximum Exploitability Index: 3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Products: Microsoft Forefront Unified Access Gateway 2010 Service Pack 1, Microsoft Forefront Unified Access Gateway 2010 Service Pack 1 Update 1
CVE References: CVE-2012-0146, CVE-2012-0147
http://technet.microsoft.com/en-us/security/bulletin/ms12-026

MS12-027 - Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)
Details: This security update resolves a privately disclosed vulnerability in Windows common controls. The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. However, in all cases, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The security update addresses the vulnerability by disabling the vulnerable version of the Windows common controls and replacing it with a new version that does not contain the vulnerability.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Critical
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Temporary
Affected Products: Microsoft Office Suites and Components, Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2008, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Visual FoxPro, Visual Basic
CVE References: CVE-2012-0158
http://technet.microsoft.com/en-us/security/bulletin/ms12-027

MS12-028 - Vulnerability in Microsoft Office Could Allow Remote Code Execution (2639185)
Details: This security update resolves a privately reported vulnerability in Microsoft Office and Microsoft Works. The vulnerability could allow remote code execution if a user opens a specially crafted Works file. An attacker who successfully exploits this vulnerability could gain the same user rights as the current user. The security update addresses the vulnerability by deprecating the vulnerable Microsoft Works converter.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Important
Maximum Exploitability Index: 3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index: Not applicable
Affected Products: Microsoft Office 2007 Service Pack 2, Microsoft Works 9, Microsoft Works 6–9 File Converter
CVE References: CVE-2012-0177
http://technet.microsoft.com/en-us/security/bulletin/ms12-028

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly. With regards to MS12-027, Microsoft strongly recommends this vulnerability be patched at the earliest opportunity. If organizations are unable to patch at in a timely matter, they might consider using the workaround suggested by Microsoft provided here:
http://blogs.technet.com/b/srd/archive/2012/04/10/ms12-027-enhanced-protections-regarding-activex-controls-in-microsoft-office-documents.aspx

Microsoft has published a risk matrix table to assist organizations in evaluating and prioritizing deployment of these security updates. This table is available at the following URL:
http://blogs.technet.com/b/msrc/archive/2012/04/10/windows-xp-and-office-2003-countdown-to-end-of-support-and-the-april-2012-bulletins.aspx

References:
http://technet.microsoft.com/en-us/security/bulletin/ms12-apr

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca