VERT Alert - April 10, 2012

April 10, 2012 2:30 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire 's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 6 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-453 on Wednesday, April 11th.

Print Feature Remote Code Execution Vulnerability CVE-2012-0168
JScript9 Remote Code Execution Vulnerability CVE-2012-0169
OnReadyStateChange Remote Code Execution Vulnerability CVE-2012-0170
SelectAll Remote Code Execution Vulnerability CVE-2012-0171
VML Style Remote Code Execution Vulnerability CVE-2012-0172
WinVerifyTrust Signature Validation Vulnerability CVE-2012-0151
.NET Framework Parameter Validation Vulnerability CVE-2012-0163
UAG Blind HTTP Redirect Vulnerability CVE-2012-0146
Unfiltered Access to UAB Default Website Vulnerability CVE-2012-0147
MSCOMCTL.OCX RCE Vulnerability CVE-2012-0158
Office WPS Converter Heap Overflow Vulnerability CVE-2012-0177


The first bulletin this month belongs to Internet Explorer and includes fixes for 5 CVEs and, as usual, it's important to place this update near the top of your priority list. The important thing to note is that once again newer IE versions have prove more secure than older versions, with four CVEs affecting IE6 and only three CVEs affecting IE9. At the same time, it's important to note that one CVE applies to only IE9.


This bulletin is one of the more interesting released this month. A flaw in the WinVerifyTrust Signature validation leads to a portion of an executable going unverified. An attacker could replace this unverified code with malicious code and the signature would still be valid. While the attack requires the user to run the file, this vulnerability allows the attacker to play on existing user trusts and potentially bypass any user awareness training that has stuck with end users.


The single CVE patched by MS12-025 affects .NET Framework, specifically a parameter validation vulnerability affecting XBAPs (XAML Browser Applications).


MS12-026 introduces fixes for two Forefront Unified Access Gateway vulnerabilities. The first allows a malicious user to provide a link that will redirect authenticated UAG users to another website, while the second provides a means for an attacker to gain access to a website without requiring authentication.


This bulletin wins the award for the most critical vulnerability this month. Microsoft rated it this way because of the limited targeted attacks they are seeing; I'm adding the sheer number of applications updated as another reason. Proper coordination will require that this patch receives extra attention.


The final bulletin this month resolves a Microsoft Works converter issue that also affects Microsoft Office 2007. It's important to note that only Office 2007 SP2 is affected; Service Pack 3 has found its way onto the "not affected" list.


As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.


Ease of Use (published exploits) to Risk Table:

Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged


All data and commentary is based on information available when the VERT Alert is published.