Critical Patch Tuesday bulletin addresses Microsoft Office attack seen in the wild

Bulletins warn of SQL Server, Visual Basic, IE threats as well

While four of the six security bulletins that Microsoft issued for April's Patch Tuesday release are rated "critical," one in particular has already been targeted by an attack lurking in the wild.

The MS12-027 security bulletin addresses a vulnerability found in Microsoft Office versions 2003 to 2010 -- excluding the 64-bit version of Office 2010 -- and is susceptible to attacks embedded in rich text format (RTF) files. Qualys CTO Wolfgang Kandek says limited attacks targeting this exploit have already been identified in the wild. Now that the vulnerability has been made public, he says it won't be long until more attacks are designed to exploit it.

RELATED: Useful security threat data advisory tools

RELATED: Microsoft's MAPP reportedly hacked, RDP exploits coming sooner than expected

Jason Miller, manager of research and development at VMware, says the vulnerability addressed in MS12-027 "is a little scary" because it also affects SQL Server and developer tools like Visual Basic and Visual FoxPro and is likely to be found in spam attacks. Citing the increasingly deceptive spam attacks of late, which have advanced beyond fake ads for designer accessories and erectile dysfunction medication, Miller says that even those who are diligent about the emails they open may fall for an attack carrying an RTF exploit.

"I hate to say it, but the people who spam weren't very creative with what they did before," Miller says. "But if you look at the spam that's out there lately, it's Delta airlines confirmation emails or UPS claiming they dropped a package at your house and you need to open [a document] to confirm. So they're getting more and more intelligent about how to entice somebody to open up these attachments."

Miller urges Microsoft customers to treat a separate patch for an Internet Explorer vulnerability with just as much importance as MS12-027. Part of the reason for concern over the vulnerabilities patched in MS12-023 is that they lie in Web browsers that are used often by end users who may not have security in mind, Miller says. The other part is the high likelihood that it could be attacked within the next 30 days, as is suggested by the rating of 1 Microsoft gave it on its exploitability index.

"That's going to be a prime target for people. With the bi-monthly update, it should definitely be at the top of the list of what you're looking at," Miller says. "A lot of the vulnerabilities fixed are drive-by scenarios, so you're probably going to see some malicious sites popping up."

MS12-023 addresses a vulnerability that affects Internet Explorer Versions 6 through 9, and comes before the patch for the IE exploit made public at last month's CanSecWest Pwn2Own contest.

Two of the remaining bulletins were also rated critical and address remote code execution vulnerabilities in Windows and the .Net framework. The remaining two, deemed "important," address exploits in Office and Forefront Unified Access Gateway.

The six security bulletins issued in April bring Microsoft's total to 28 in 2012. In comparison, the company issued 34 bulletins through the first four months of last year, half of which came in April.

Colin Neagle covers Microsoft security and network management for Network World. Keep up with his blog: Rated Critical, follow him on Twitter: @ntwrkwrldneagle. Colin's email is cneagle@nww.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies