Security

Microsoft Patches Critical Windows Zero-day Bug That Hackers Are Now Exploiting

Microsoft Patches Critical Windows Zero-day Bug That Hackers Are Now Exploiting
Microsoft today delivered six security updates to patch 11 vulnerabilities in Windows, Internet Explorer (IE), Office and several other products, including one bug that attackers are already exploiting.

The company also issued the first patch for Windows 8 Consumer Preview, the beta-like build Microsoft released at the end of February.

But it was MS12-027 that got the most attention today.

"Things got a bit more interesting today," said Andrew Storms, director of security operations at nCircle Security, "because Microsoft is reporting limited attacks in the wild."

Flaws that attackers exploit before a patch is available are called "zero-day" vulnerabilities.

The single vulnerability patched in MS12-027 is in an ActiveX control included with every 32-bit version of Office 2003, 2007 and 2010; Microsoft also called out SQL Server, Commerce Server, BizTalk Server, Visual FoxPro and Visual Basic as needing the patch.

Storms, other security experts and Microsoft, too, all identified MS12-027 as the first update users should install.

Hackers are already using the vulnerability in malformed text documents, which when opened either in Word or WordPad -- the latter is a bare bones text editor bundled with every version of Windows, including Windows 7 -- can hijack a PC, Microsoft acknowledged in a post to its Security Research & Defense (SRD) blog today.

"We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of [the] CVE-2012-0158 vulnerability using specially-crafted Office documents," said Elia Florio, an engineer with the Microsoft Security Response Center, in the SRD blog post.

Microsoft did not disclose when it first became aware of the attacks, or who reported the vulnerability to its security team.

Storms speculated that an individual or company had been attacked, uncovered the bug and notified Microsoft.

Microsoft rarely deploys a patch "out of cycle," meaning outside its usual second Tuesday of every month schedule. The last such update was shipped in December 2011, and was the first for that year.

Also affected is software written by third-party developers who have bundled the buggy ActiveX control with their code or called it. Those developers will have to provide their own updates to customers.

"Any developer that has released an ActiveX control should review the information for this security bulletin," said Jason Miller, manager of research and development at VMware. "These developers may need to release updates to their own software to ensure they are not using a vulnerable file in their ActiveX control."

Attackers can also exploit this bug using "drive-by download" attacks that automatically trigger the vulnerability when IE users browse to a malicious site, Microsoft admitted.

That means the flaw patched by MS12-027 is a double threat. "There are two attack scenarios. There's the malicious website [scenario] and then RTF documents, which are pretty common," Miller said.

Miller expects to see attackers glom onto the vulnerability once they have a chance to analyze the bug and craft their own exploits. "More and more will jump on this this month," Miller argued.

Wolfgang Kandek, chief technology officer at Qualys, agreed. "Now that [the advisory] is published, other malware authors will be looking at it to see what's there," Kandek said. "We're sure to see more attacks against this vulnerability."

Eight of the 11 bugs patched today -- including the one in MS12-027 -- were rated "critical" by Microsoft, its highest threat ranking. Another was pegged "important," and the remaining two were tagged as "moderate."

Microsoft identified MS12-023, a five-patch fix for IE, as the other update to roll out ASAP.

The company typically releases an IE security update in even-numbered months; on those months, security professionals usually recommend that users apply the browser update first.

Not this month.

"MS12-027 trumps the IE update this month," said Miller.

Storms also remarked on the downgrading of the IE bulletin. "When has there been a month when IE hasn't been the one to patch first?" Storms asked. "I can't remember one."

Patches for IE9

Two of the five vulnerabilities in MS12-023 were rated critical for IE9, the newest edition of Microsoft's browser that runs on Windows Vista and Windows 7.

Other bulletins today applied to Windows, .NET, Microsoft's VPN (virtual private networking) tool and Office 2007 and the ancient -- and no longer sold -- Microsoft Works.

Miller pointed out that MS12-024, which patches a critical vulnerability in all supported versions of Windows, also applies to Windows 8 Consumer Preview.

Although the MS12-024 advisory does not mention Windows 8 Consumer Preview, anyone running that sneak peek will be offered the update, said Miller. Computerworld confirmed that MS12-024 was among several other non-security fixes Microsoft delivered to Windows 8 today.

According to Qualys, the bug in MS12-024 lets hackers hitch a ride inside legitimate software installation packages.

Amol Sarwate, manager of Qualys' vulnerability research lab, said the vulnerability would be very attractive to purveyors of phony antivirus software, a category often called "scareware" or "rogueware."

April's six security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

Subscribe to the Security Watch Newsletter

Comments