VERT Alert - February 14, 2012

February 14, 2012 4:10 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-445 on Wednesday, February 15th.

GDI Access Violation Vulnerability CVE-2011-5046
Keyboard Layout Use After Free Vulnerability CVE-2012-0154
AfdPoll Elevation of Privilege Vulnerability CVE-2012-0148
Ancillary Function Driver Elevation of Privilege Vulnerability CVE-2012-0149
Copy and Paste Information Disclosure Vulnerability CVE-2012-0010
HTML Layout Remote Code Execution Vulnerability CVE-2012-0011
Null Byte Information Disclosure Vulnerability CVE-2012-0012
VML Remote Code Execution Vulnerability CVE-2012-0155
XSS in inplview.aspx Vulnerability CVE-2012-0017
XSS in themeweb.aspx Vulnerability CVE-2012-0144
XSS in wizardlist.aspx Vulnerability CVE-2012-0145
Color Control Panel Insecure Library Loading Vulnerability CVE-2012-5082
Msvcrt.dll Buffer Overflow Vulnerability CVE-2012-0150
Indeo Codec Insecure Library Loading Vulnerability CVE-2012-3138
VSD File Format Memory Corruption Vulnerability CVE-2012-0019
VSD File Format Memory Corruption Vulnerability CVE-2012-0020
VSD File Format Memory Corruption Vulnerability CVE-2012-0136
VSD File Format Memory Corruption Vulnerability CVE-2012-0137
VSD File Format Memory Corruption Vulnerability CVE-2012-0138
AfdPoll Elevation of Privilege Vulnerability CVE-2012-0014
.NET Framework Unmanaged Objects Vulnerability CVE-2012-0015


The first bulletin this month resolves two vulnerabilities affecting the Windows Kernel Mode Drivers. One of these vulnerabilities has been discussed publicly and proof of concept code has been released. Both of these vulnerabilities affect all supported Windows operating systems.


The two vulnerabilities patched by MS12-009 could lead to privilege escalation due to vulnerabilities in the Ancillary Function Driver (AFD.sys). While one of these vulnerabilities (CVE-2012-0149) only affects Windows Server 2003, the other vulnerability (CVE-2012-0148) affects all 64-bit operating systems.


This months Internet Explorer update resolves 4 vulnerabilities. The interesting twist here is that all four vulnerabilities affect Internet Explorer 9, while only one of the four affects IE6.


The fourth bulletin this month fixes three cross-site scripting vulnerabilities affecting SharePoint Server and SharePoint Foundation 2010.


This bulletin is the first of two resolving DLL Preloading issues this month; this one is found in the Color Control Panel.


This bulletin, the most critical after MS12-010, is probably the one that will draw the most attention. Seeing that the C Run-Time is affected is a big deal; luckily the only known attack vector is via Windows Media Player. While that's still a concern, and enough to rank this vulnerability as Critical, it makes it less scary than it could be. Please note that third party software could provide additional attack vectors to hit the vulnerable code. Microsoft has released a blog post that contains additional details as well as guidance for 3rd party application developers.


The second DLL Preloading issue this month affects the Indeo codec, which has been around since 1992 and warranted its own blog post, which is a very interesting read and definitely recommended.


The award for most CVEs in a bulletin this month goes to MS12-015 for five vulnerabilities related to the Visio document format (VSD).


The final bulletin this month affects .NET Framework and Silverlight. One of these two vulnerabilities has been disclosed publicly and the latest versions of this software (.NET 4 and Silverlight 4) are only affected by the other vulnerability.

Other Information

VERT will also be releasing updates to detect the new Adobe Shockwave vulnerabilities reported in APSB12-02


As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.


Ease of Use (published exploits) to Risk Table:


Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged


All data and commentary is based on information available when the VERT Alert is published.