In short (and in part) from elsewhere..
Patch MS12-027 Now--Zero Day Flaw Being Actively Exploited
Andrew Storms, director of security operations for nCircle, declares MS12-027 is the "deploy now" patch of the month. The Windows Common Controls are widely used throughout the Microsoft ecosystem, so there isn't much that isn't potentially impacted by this one.
Storms adds, "It gets worse: Microsoft has already seen exploits for this vulnerability in the wild in limited attacks."
In a blog post, VMware's Jason Miller explains that the MS12-027 flaw can be exploited by simply visiting a malicious website using Internet Explorer, or by opening a file attachment with an embedded malicious ActiveX control.
Miller agrees with Storms, and emphasizes, "As Microsoft has already seen active exploits against this vulnerability and it contains a Web browsing scenario, it will be critical to push this patch out to your desktop systems as soon as possible."
Wolfgang Kandek, CTO of Qualys, also puts MS12-027 at the top of the priority list. Kandek cautions that not only are exploits already out there in the wild, but malware developers will likely target the vulnerability even more now that they can reverse-engineer the patch.
"Microsoft warns of targeted attacks exploiting Windows flaw" :
One particular bulletin (MS12-027) stands out and patching the vulnerability (CVE-2012-0158) documented in it should be considered a priority, as Microsoft shared that it is currently being exploited in the wild.
"The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability," says Microsoft.
"In all cases, however, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website."
"The malicious file could be sent as an email attachment as well, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability."
This is one of the rare times where the patching of a flaw that has nothing to do with Internet Explorer has been deemed more important than applying the cumulative patch for the company's browser.
"We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of the CVE-2012-0158 vulnerability using specially-crafted Office documents," stated Elia Florio, a Microsoft Security Response Center engineer.
Microsoft Word 2010 users are partly protected by the product's Protected View, and the danger of attack can be mitigated by disabling ActiveX controls. Still, applying the patch is the best course of action.
"MS12-027: Enhanced protections regarding ActiveX controls in Microsoft Office documents"
From the Security Research & Defense Blog:
Security Update MS12-027 addresses a code execution vulnerability in MSCOMCTL.OCX, the Windows Common Controls ActiveX control. By default, this component is included with all 32-bit versions of Microsoft Office. We'd like to cover the following topics in this blog post:
• Limited, targeted attacks leveraging this vulnerability
• Mitigations in recent versions of Office to reduce the risk
• Extra protections to block all or specific ActiveX controls in Office documents
• The new Office 2010 kill bit feature
Limited, targeted attacks leveraging this vulnerability
We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of CVE-2012-0158 vulnerability using specially crafted Office documents as exploit vector. The specific samples that we have seen have been RTF files attempting to exploit the vulnerability when opened in either WordPad or Microsoft Word. People who install the MS012-027 patch are protected against CVE-2012-0158 so we recommend applying the update right away. Microsoft Word includes various on-by-default mitigations and optional security hardening features that you might consider enabling. Read on to find out more.
Microsoft Word 2010 Protected View as a mitigation
By default, Microsoft Office 2010 opens documents originating from the Internet and from other potentially unsafe locations in a mode called Protected View. This mode does not allow ActiveX controls to load. If a victim running Office 2010 were to receive an exploit for CVE-2012-0158 over the internet or via email, the victim would need to click the Protected View's "Enable Editing" button before the malicious code would be allowed to run. The screenshots below show two examples of Protected View. [Screenshot]
Disabling ActiveX controls in Microsoft Office
ActiveX-based attacks with documents are not new. In this blog we have covered the Behavior of embedded ActiveX controls in Microsoft Office documents (http://blogs.technet.com/b/srd/archive/2009/03/03/behavior-of-activex-controls-embedded-in-office-documents.aspx) three years ago, giving good advice and best practices on how to restrict (or disable) the initialization of embedded controls.
Without going into the details of the previous blog, we'll just mention once more that Office 2007 and 2010 editions have a dedicated panel for ActiveX controls in Trust Center Settings which allows, in its safest configuration, to completely disable all controls embedded in documents or to prompt a warning dialog when a document tries to use certain type of controls as showed by the following picture. [Screenshot]
Continued : http://blogs.technet.com/b/srd/archive/2012/04/10/ms12-027-enhanced-protections-regarding-activex-controls-in-microsoft-office-documents.aspx
See "Affected Software" in Microsoft Security Bulletin MS12-027: http://technet.microsoft.com/en-us/security/bulletin/ms12-027