Today we released MS12-060, addressing a potential remote code execution vulnerability in MSCOMCTL.OCX, the binary included with a number of Microsoft products to provide a set of common ActiveX controls.

Limited, targeted attacks exploiting CVE-2012-1856

MS12-060 is on the list of high priority updates for this month for two reasons: we are aware of very limited, targeted attacks taking advantage of CVE-2012-1856 and we expect to see new attacks taking advantage of this vulnerability in days ahead. We discovered this vulnerability in a malicious RTF file sent by email which attempted to run an exploit when opened with WordPad or Microsoft Word. Deploying MS12-060 will address the vulnerability and will protect against attacks. So once again we emphasize the urgency of applying this update as soon as possible.

Comparing MS12-060 to MS12-027 (previous MSCOMCTL bulletin)

MS12-060 addresses a different vulnerability than was addressed by the previous MSCOMCTL security update, MS12-027. The previous vulnerability (CVE-2012-0158) was a stack-based buffer overflow affecting both TreeView and ListView controls. MS12-060 instead fixes a different issue (CVE-2012-1856) caused by a wrong memory allocation present in the code of the TabStrip control. In both cases code execution is possible, but exploitation methods are very different. We expect to see attacks exploiting CVE-2012-1856 delivered as Office documents and mostly as RTF file due to the antivirus signature evasion options offered by RTF format that we previously observed watching the CVE-2012-0158 MSCOMCTL vulnerability.

Office mitigations against embedded controls

Microsoft Office includes various on-by-default mitigations and a range of optional security features that, added on top of MS12-060 security update, will offer additional protection layers against suspicious documents with embedded ActiveX controls (such as MSCOMCTL) or other potentially harmful active content. All these mitigations and additional protection settings have been covered and explained in details with a previous blog available at http://blogs.technet.com/b/srd/archive/2012/04/10/ms12-027-enhanced-protections-regarding-activex-controls-in-microsoft-office-documents.aspx. All the protection settings discussed in the previous blog, such as Office kill bit and Protected View, are valid defensive measures that will harden Office against similar attacks. The vulnerable CLSID for CVE-2012-1856 is 1EFB6596-857C-11D1-B16A-00C0F0283628.

One more additional protection layer that we found useful against RTF-based attacks is enabling by default the Protected View feature for all RTF files from the Office Trust Center panel. A simple setting that prevents automatic loading of embedded controls and active content in RTF documents. The Trust Center panel offers two possible configurations: opening RTF files in Protected View with or without editing features enabled. Opening the document in Protected View without editing will block attacks based on embedded controls while still allowing reading/viewing RTF documents. It is a very good safeguard against malicious RTF files with embedded controls.

 

Deploying EMET to mitigate the risk

Finally, we noticed that the Enhanced Mitigation Experience Toolkit (EMET) is able to mitigate or neutralize exploitation attempts for this vulnerability and so we encourage customers who want to add an additional layer of protection on top of the MS12-060 security update to consider deploying EMET at least to protect browser programs and Office applications on client machines. EMET 3.0 can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=29851.

Acknowledgement

Thanks to Ali Rahbar and Ali Pezeshk from MSRC Engineering for the help investigating this vulnerability.

- Elia Florio, MSRC Engineering