Office & Productivity Software forum


Critical Microsoft Update (MS12-027) for Microsoft Office

by Carol~ Forum moderator / April 11, 2012 4:28 AM PDT

"MS12-027: Enhanced protections regarding ActiveX controls in Microsoft Office documents"

From the Security Research & Defense Blog:

Security Update MS12-027 addresses a code execution vulnerability in MSCOMCTL.OCX, the Windows Common Controls ActiveX control. By default, this component is included with all 32-bit versions of Microsoft Office. We'd like to cover the following topics in this blog post:

• Limited, targeted attacks leveraging this vulnerability
• Mitigations in recent versions of Office to reduce the risk
• Extra protections to block all or specific ActiveX controls in Office documents
• The new Office 2010 kill bit feature

Limited, targeted attacks leveraging this vulnerability

We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of CVE-2012-0158 vulnerability using specially crafted Office documents as exploit vector. The specific samples that we have seen have been RTF files attempting to exploit the vulnerability when opened in either WordPad or Microsoft Word. People who install the MS012-027 patch are protected against CVE-2012-0158 so we recommend applying the update right away. Microsoft Word includes various on-by-default mitigations and optional security hardening features that you might consider enabling. Read on to find out more.

Microsoft Word 2010 Protected View as a mitigation

By default, Microsoft Office 2010 opens documents originating from the Internet and from other potentially unsafe locations in a mode called Protected View. This mode does not allow ActiveX controls to load. If a victim running Office 2010 were to receive an exploit for CVE-2012-0158 over the internet or via email, the victim would need to click the Protected View's "Enable Editing" button before the malicious code would be allowed to run. The screenshots below show two examples of Protected View. [Screenshot]

Disabling ActiveX controls in Microsoft Office

ActiveX-based attacks with documents are not new. In this blog we have covered the Behavior of embedded ActiveX controls in Microsoft Office documents ( three years ago, giving good advice and best practices on how to restrict (or disable) the initialization of embedded controls.

Without going into the details of the previous blog, we'll just mention once more that Office 2007 and 2010 editions have a dedicated panel for ActiveX controls in Trust Center Settings which allows, in its safest configuration, to completely disable all controls embedded in documents or to prompt a warning dialog when a document tries to use certain type of controls as showed by the following picture. [Screenshot]

Continued :

See "Affected Software" in Microsoft Security Bulletin MS12-027:

Post a reply
Discussion is locked
You are posting a reply to: Critical Microsoft Update (MS12-027) for Microsoft Office
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Critical Microsoft Update (MS12-027) for Microsoft Office
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
From Elsewhere..
by Carol~ Forum moderator / April 11, 2012 9:24 AM PDT

In short (and in part) from elsewhere..

Patch MS12-027 Now--Zero Day Flaw Being Actively Exploited

Andrew Storms, director of security operations for nCircle, declares MS12-027 is the "deploy now" patch of the month. The Windows Common Controls are widely used throughout the Microsoft ecosystem, so there isn't much that isn't potentially impacted by this one.

Storms adds, "It gets worse: Microsoft has already seen exploits for this vulnerability in the wild in limited attacks."

In a blog post, VMware's Jason Miller explains that the MS12-027 flaw can be exploited by simply visiting a malicious website using Internet Explorer, or by opening a file attachment with an embedded malicious ActiveX control.

Miller agrees with Storms, and emphasizes, "As Microsoft has already seen active exploits against this vulnerability and it contains a Web browsing scenario, it will be critical to push this patch out to your desktop systems as soon as possible."

Wolfgang Kandek, CTO of Qualys, also puts MS12-027 at the top of the priority list. Kandek cautions that not only are exploits already out there in the wild, but malware developers will likely target the vulnerability even more now that they can reverse-engineer the patch.

"Microsoft warns of targeted attacks exploiting Windows flaw" :

One particular bulletin (MS12-027) stands out and patching the vulnerability (CVE-2012-0158) documented in it should be considered a priority, as Microsoft shared that it is currently being exploited in the wild.

"The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability," says Microsoft.

"In all cases, however, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website."

"The malicious file could be sent as an email attachment as well, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability."

This is one of the rare times where the patching of a flaw that has nothing to do with Internet Explorer has been deemed more important than applying the cumulative patch for the company's browser.

"We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of the CVE-2012-0158 vulnerability using specially-crafted Office documents," stated Elia Florio, a Microsoft Security Response Center engineer.

Microsoft Word 2010 users are partly protected by the product's Protected View, and the danger of attack can be mitigated by disabling ActiveX controls. Still, applying the patch is the best course of action.

Collapse -
Thank you Carol
by MarkFlax Forum moderator / April 12, 2012 8:47 PM PDT
In reply to: From Elsewhere..

and, er, I forgot to let you know I had made this Sticky!

I've been busy answering emails! Devil


Collapse -
You're welcome, Mark
by Carol~ Forum moderator / April 12, 2012 10:38 PM PDT
In reply to: Thank you Carol

And all this time, I thought it was due to .. a matter of "TMI" (Too Much Information).

You've been busy answering emails? You must be awfully busy not to have answered the email I sent you 3 weeks ago. Sad

Not to worry. I only wrote to ask if it was okay to delete one of your posts. After not hearing from you after 2 weeks, I took it to mean it was okay. Soooo... ** I deleted it! Grin


** Not really.

Collapse -
by MarkFlax Forum moderator / April 13, 2012 4:38 AM PDT
In reply to: You're welcome, Mark
Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions


$16,000 used SUVs

Whether you like your SUVs cute or capable, or some blend of the two, we've got a wide variety of choices in Roadshow's first collection of Editors' Used Picks.