Among the 6 security bulletins released by Microsoft as part of the April 2012 updates, there’s one that addresses a vulnerability that’s already being leveraged to launch a limited number of targeted attacks. Because of the current attacks, this update is considered to be the most important of this month.
The MS12-027update fixes a code execution security hole in the Windows Common Controls ActiveX control. More precisely, the flaw exists in MSCOMCTL.OCX.
The cybercriminal simply sends a malicious RTF file via email. Once opened with WordPad or Microsoft Word, the cleverly crafted file exploits the vulnerability, allowing the attacker to execute arbitrary code.
Besides the security update, Microsoft offers some other mitigation tips. For instance, Microsoft Office 2010 opens documents that come from potentially dangerous sources in Protected View, which prevents ActiveX controls from loading.
Since attacks that rely on ActiveX are not new, the 2007 and 2010 editions of Microsoft Office come with a dedicated panel which allows users to disable the component, or choose to be warned if a document attempts to use certain types of controls.
A final mitigation method refers to the use of the ActiveX kill bit feature. In Office 2010, if the kill bit is set, documents that contain embedded controls will be opened, but blocked ActiveX controls will be blocked and replaced with a red X.
Microsoft experts warn that completely disabling ActiveX is a very effective mitigation measure, but for companies it may have negative effects because it may block the execution of certain Office documents.
On the other hand, the kill bit feature may prove to be the best because it offers both organizations and consumers a more selective way to control what can be safely loaded.
Since attacks are already being seen, it’s likely that they will continue. This is why users are advised to apply the latest updates, or implement one of the mitigation mechanisms described above.