VERT Alert - May 8, 2012

May 8, 2012 5:55 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire 's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 7 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-457 on Wednesday, May 9th.

RTF Mismatch Vulnerability CVE-2012-0183
Excel File Format Memory Corruption Vulnerability CVE-2012-0141
Excel File Format Memory Corruption in OBJECTLINK Record Vulnerability CVE-2012-0142
Excel Memory Corruption using Various Modified Bytes Vulnerability CVE-2012-0143
Excel SXLI Record Memory Corruption Vulnerability CVE-2012-0184
Excel MergeCells Record Help Overflow Vulnerability CVE-2012-0185
Excel Series Record Parsing Type Mismatch Could Result in Remote Code Execution Vulnerability CVE-2012-1847
VSD File Format Memory Corruption Vulnerability CVE-2012-0018
Windows Firewall Bypass Vulnerability CVE-2012-0174
TCP/IP Double Free Vulnerability CVE-2012-0179
Plug and Play (PnP) Configuration Manager Vulnerability CVE-2012-0178
TrueType Font Parsing Vulnerability CVE-2012-3402
TrueType Font Parsing Vulnerability CVE-2012-0159
.NET Framework Buffer Allocation Vulnerability CVE-2012-0162
.NET Framework Index Comparison Vulnerability CVE-2012-0164
GDI+ Record Type Vulnerability CVE-2012-0165
GDI+ Heap Overflow Vulnerability CVE-2012-0167
Silverlight Double-Free Vulnerability CVE-2012-0176
Windows and Messages Vulnerability CVE-2012-0180
Keyboard Layout File Vulnerability CVE-2012-0181
Scrollbar Calculation Vulnerability CVE-2012-1848
.NET Framework Serialization Vulnerability CVE-2012-0160
.NET Framework Serialization Vulnerability CVE-2012-0161


The first bulletin this month is a critical vulnerability in Microsoft Word, specifically the RTF parsing capabilities. This vulnerability could be exploited via RTF email and Microsoft has advised users to read email in plaintext as means of mitigating the issue. It is advisable to always read email in plaintext to reduce the risk posed by malicious email.


Office and Excel are both frequent visitors on Patch Tuesday, so it's not surprising that we're seeing them here today. There's nothing that really stands out in this bulletin, except for the horribly named "Excel Series Record Parsing Type Mismatch Could Result in Remote Code Execution Vulnerability".


This bulletin affects only the Visio Viewer, generally you'd expect to see Visio affected as well, but that's not the case here... Visio Viewer 2010 is affected and that's about it.


A local privilege escalation vulnerability and a firewall bypass are resolved in MS12-032. The privilege escalation occurs due to a flaw in the binding of IPv6 addresses to a local interface and only affects Windows 7 and 2008 R2. The firewall bypass is resolved by modifying the way that the Firewall handles the outbound broadcast packets.


An unexpected vulnerability this month is patched by MS12-033. The affected software... Windows Partition Manager. This privilege escalation vulnerability affects Windows Vista and newer operating systems.


This bulletin is best described as a mixed bag. The vulnerability exploited by the Duqu Virus was found to exist in a number of other products, so this bulletin is the fix for all those products. Since Microsoft was shipping fixed files, other vulnerability fixes are being shipped at the same time. In the end, this single bulletin covers Windows, Office, .NET, and Silverlight.


The final bulletin of the month addresses two vulnerabilities affecting the .NET framework, and isn't very interesting. It affects XBAPs, which are disabled in the Internet zone in IE9, which limits the possibility of attack for IE9 users to sites in the intranet zone.

As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.


Ease of Use (published exploits) to Risk Table:

Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged


All data and commentary is based on information available when the VERT Alert is published.