Critical Product Vulnerability – May 2012 Microsoft Security Bulletin Release

What is the purpose of this alert?

Bulletin ID

Bulletin Title

Max Severity
Rating

Vulnerability
Impact

Restart
Requirement

Affected
Software

MS12-029

Vulnerability in Microsoft Word
Could Allow Remote Code Execution (2680352)

Critical

Remote Code Execution

May require restart

Microsoft Word 2003, Word 2007,
Office Compatibility Pack, Office 2008 for Mac, and Office for Mac 2011.

MS12-030

Vulnerabilities
in Microsoft Office Could Allow Remote Code Execution (2663830)

Important

Remote Code
Execution

May require
restart

Microsoft Excel
2003, Excel 2007, Excel 2010, Excel Viewer, Office 2007, Office 2010, Office
Compatibility Pack, Office 2008 for Mac, and Office for Mac 2011.

MS12-031

Vulnerability in Microsoft Visio
Viewer 2010 Could Allow Remote Code Execution (2597981)

Important

Remote Code Execution

May require restart

Microsoft Visio Viewer 2010

MS12-032

Vulnerability
in TCP/IP Could Allow Elevation of Privilege (2688338)

Important

Elevation of
Privilege

Requires
restart

Microsoft
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

MS12-033

Vulnerability in Windows Partition
Manager Could Allow Elevation of Privilege (2690533)

Important

Elevation of Privilege

Requires restart

Microsoft Windows Vista, Windows
Server 2008, Windows 7, and Windows Server 2008 R2.

MS12-034

Combined
Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
(2681578)

Critical

Remote Code
Execution

May require
restart

Microsoft
Office 2003, Office 2007, Office 2010, .NET Framework, Windows XP, Windows
Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server
2008 R2, Silverlight 4, and Silverlight 5.

MS12-035

Vulnerabilities in .NET Framework
Could Allow Remote Code Execution (2693777)

Critical

Remote Code Execution

May require restart

Microsoft .NET Framework, Windows
XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2.

Security
Advisory 2695962

Update Rollup
for ActiveX Kill Bits

Affected Software

·        
Microsoft
Windows XP

·        
Windows
Server 2003

·        
Windows
Vista

·        
Windows
Server 2008

·        
Windows
7

·        
Windows
Server 2008 R2

Executive
Summary

Microsoft is
releasing a new set of ActiveX kill bits with this advisory. This update sets
the kill bits for the following third-party software:

·        
Cisco Clientless VPN solution

·        
The class identifier (CLSID) for this ActiveX control is:

·        
{B8E73359-3422-4384-8D27-4EA1B4C01232}

More Information

http://technet.microsoft.com/security/advisory/2695962

Bulletin
Identifier

Microsoft
Security Bulletin MS12-029

Bulletin Title

Vulnerability in
Microsoft Word Could Allow Remote Code Execution (2680352)

Executive
Summary

This
security update resolves a privately reported vulnerability in Microsoft
Office. The vulnerability could allow remote code execution if a user opens a
specially crafted RTF file. The
security update addresses the vulnerabilities by modifying the way that
Microsoft Office parses RTF-formatted data.

Severity Ratings and
Affected Software

·        
This security update is rated Critical for all supported
editions of Microsoft Word 2007.

·        
This security update is also rated Important for all supported
editions of Microsoft Word 2003, Microsoft Office 2008 for Mac, and Microsoft
Office for Mac 2011; and all supported versions of Microsoft Office
Compatibility Pack.

Attack
Vectors

·        
This vulnerability requires that a user open or preview
specially crafted RTF-formatted data with an affected version of Microsoft
Office software.

·        
In an email attack scenario, an attacker could exploit
the vulnerability by sending specially-crafted RTF-formatted data in the
contents of an email message. The vulnerability could be exploited when the
specially crafted RTF email message is previewed or opened in Outlook while
using Microsoft Word as the email viewer. An attacker could also exploit the
vulnerability by sending a specially-crafted RTF file as an attachment and
convincing the user to open the specially crafted RTF file. Note that by
default, Microsoft Word is the email reader in Outlook 2007.

·        
In a web-based attack scenario, an attacker could host a
website that contains an Office file that is used to attempt to exploit this
vulnerability. In addition, compromised websites and websites that accept or
host user-provided content could contain specially crafted content that could
exploit this vulnerability. In all cases, an attacker would have no way to
force users to visit a specially crafted website. Instead, an attacker would
have to convince them to visit the website, typically by getting them to
click a link that takes them to the attacker’s site, and then convince them
to open the specially crafted Office file.

Mitigating Factors

·        
An
attacker who successfully exploited this vulnerability could gain the same
user rights as the current user. Users whose accounts are configured to have
fewer user rights on the system could be less impacted than users who operate
with administrative user rights.

·        
In
a web-based attack scenario, an attacker would have no way to force users to
visit a malicious website. Instead, an attacker would have to convince users
to visit the website, typically by getting them to click a link in an email
message or Instant Messenger message that takes users to the attacker’s
website, and then convince them to open the specially crafted Office file.

Restart
Requirement

This
update may require a restart.

Bulletins Replaced
by This Update

MS11-094, MS11-089,
and MS10-079.

Full
Details

http://technet.microsoft.com/security/bulletin/MS12-029

Bulletin
Identifier

Microsoft
Security Bulletin MS12-030

Bulletin Title

Vulnerabilities in
Microsoft Office Could Allow Remote Code Execution (2663830)

Executive
Summary

This
security update resolves one publicly disclosed and five privately reported
vulnerabilities in Microsoft Office. The vulnerabilities could allow remote
code execution if a user opens a specially crafted Office file. The security update
addresses the vulnerabilities by correcting the way that Microsoft Excel
validates data when opening specially crafted Excel files.

Severity Ratings and
Affected Software

This security update
is rated Important for all supported editions of Microsoft Excel 2003,
Microsoft Excel 2007, Microsoft Office 2007, Microsoft Excel 2010, Microsoft
Office 2010, Microsoft Office 2008 for Mac, and Microsoft Office for Mac
2011; it is also rated Important for supported versions of Microsoft Excel
Viewer and Microsoft Office Compatibility Pack.

Attack
Vectors

·        
These vulnerabilities require that a user open a
specially crafted Excel file with an affected version of Microsoft Excel.

·        
In an email attack scenario, an attacker could exploit
these vulnerabilities by sending a specially crafted Excel file to the user
and by convincing the user to open the file.

·        
In a web-based attack scenario, an attacker would have to
host a website that contains a specially crafted Excel file that is used to
attempt to exploit this vulnerability. In addition, compromised websites and
websites that accept or host user-provided content could contain specially
crafted content that could exploit this vulnerability. An attacker would have
no way to force users to visit a specially crafted website. Instead, an
attacker would have to convince users to visit the website, typically by
getting them to click a link that takes them to the attacker’s site, and then
convince them to open the specially crafted Excel file.

Mitigating Factors

·        
In
a web-based attack scenario, an attacker would have to convince users to
visit the malicious website, typically by getting them to click a link in an
email message or Instant Messenger message that takes them to the attacker’s
website, and then convince them to open the specially crafted Excel file.

·        
An
attacker who successfully exploited these vulnerabilities could gain the same
user rights as the logged-on user. Users whose accounts are configured to
have fewer user rights on the system could be less impacted than users who
operate with administrative user rights.

·        
These
vulnerabilities cannot be exploited automatically through email. For an
attack to be successful a user must open an attachment that is sent in an
email message..

Restart
Requirement

This
update may require a restart.

Bulletins Replaced
by This Update

MS11-096, MS11-094,
MS11-089, and MS11-072.

Full
Details

http://technet.microsoft.com/security/bulletin/MS12-030

Bulletin
Identifier

Microsoft
Security Bulletin MS12-031

Bulletin Title

Vulnerability in
Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2597981)

Executive
Summary

This
security update resolves a privately reported vulnerability in Microsoft
Office. The vulnerability could allow remote code execution if a user opens a
specially crafted Visio file. The
security update addresses the vulnerability by modifying the way that
Microsoft Visio Viewer validates data when parsing specially crafted Visio
files.

Severity Ratings and
Affected Software

This security update
is rated Important for all supported editions of Microsoft Visio Viewer 2010.

Attack
Vectors

·        
This vulnerability requires that a user open a specially
crafted Visio file with an affected version of Microsoft Visio Viewer.

·        
In an email attack scenario, an attacker could exploit
the vulnerability by sending a specially crafted Visio file to the user and
by convincing the user to open the file.

·        
In a web-based attack scenario, an attacker would have to
host a website that contains a specially crafted Visio file that is used to
attempt to exploit this vulnerability. In addition, compromised websites and
websites that accept or host user-provided content could contain specially
crafted content that could exploit this vulnerability. An attacker would have
no way to force users to visit a specially crafted website. Instead, an
attacker would have to convince users to visit the website, typically by
getting them to click a link that takes them to the attacker’s site, and then
convince them to open a specially crafted Visio file.

Mitigating Factors

·        
By
default, all supported versions of Microsoft Outlook, Microsoft Outlook
Express, and Windows Mail open HTML email messages in the Restricted sites
zone. The Restricted sites zone, which disables script and ActiveX controls,
helps reduce the risk of an attacker being able to use this vulnerability to
execute malicious code. If a user clicks a link in an email message, the user
could still be vulnerable to exploitation of this vulnerability through the
web-based attack scenario.

·        
By
default, Internet Explorer on Windows Server 2003, Windows Server 2008, and
Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced
Security Configuration. This mode mitigates this vulnerability.

·        
In
a web-based attack scenario, an attacker would have to convince users to
visit the website, typically by getting them to click a link in an email
message or Instant Messenger message that takes users to the attacker’s
website, and convince them to open the specially crafted Visio file.

·        
An
attacker who successfully exploited this vulnerability could gain the same
user rights as the current user. Users whose accounts are configured to have
fewer user rights on the system could be less impacted than users who operate
with administrative user rights.

Restart
Requirement

This
update may require a restart.

Bulletins Replaced
by This Update

MS12-015

Full
Details

http://technet.microsoft.com/security/bulletin/MS12-031

Bulletin
Identifier

Microsoft
Security Bulletin MS12-032

Bulletin Title

Vulnerability in
TCP/IP Could Allow Elevation of Privilege (2688338)

Executive
Summary

This
security update resolves one publicly disclosed and one privately reported
vulnerability in Microsoft Windows. The more severe of these vulnerabilities
could allow elevation of privilege if an attacker logs on to a system and
runs a specially crafted application. The security update addresses the
vulnerabilities by modifying the way that Windows Firewall handles outbound
broadcast packets and by modifying the way that the Windows TCP/IP stack
handles the binding of an IPv6 address to a local interface.

Severity Ratings and
Affected Software

This security update
is rated Important for all supported editions of Windows Vista, Windows
Server 2008, Windows 7, and Windows Server 2008 R2.

Attack
Vectors

CVE-2012-0174
(Windows Firewall bypass vulnerability)

·        
In order to use this vulnerability, an
attacker would first have to gain access to the local subnet of the target
computer. An attacker could then use another vulnerability to acquire
information about the target system or execute code on the target system.

CVE-2012-0179
(TCP/IP double free vulnerability)

·        
To exploit this vulnerability, an attacker
would first have to log on to the system. An attacker could then run a
specially crafted application that could exploit the vulnerability and take
complete control over the affected system.

Mitigating Factors

CVE-2012-0174
(Windows Firewall bypass vulnerability)

·        
An attacker must have valid logon credentials and be able to
log on locally to exploit this vulnerability.

CVE-2012-0179
(TCP/IP double free vulnerability)

·        
Microsoft has not identified any mitigating factors for this
vulnerability.

Restart
Requirement

This
update requires a restart.

Bulletins Replaced
by This Update

MS11-083

Full
Details

http://technet.microsoft.com/security/bulletin/MS12-032

Bulletin
Identifier

Microsoft
Security Bulletin MS12-033

Bulletin Title

Vulnerability in
Windows Partition Manager Could Allow Elevation of Privilege (2690533)

Executive
Summary

This
security update resolves a privately reported vulnerability in Microsoft
Windows. The vulnerability could allow elevation of privilege if an attacker
logs on to a system and runs a specially crafted application. The security update
addresses the vulnerability by correcting the way that Windows Partition
Manager allocates objects in memory.

Severity Ratings and
Affected Software

This security update
is rated Important for all supported editions of Windows Vista, Windows
Server 2008, Windows 7, and Windows Server 2008 R2.

Attack
Vectors

To exploit this
vulnerability, an attacker would first have to log on to the system and then
run a specially crafted application that could exploit the vulnerability and
take complete control over the affected system.

Mitigating Factors

An attacker must
have valid logon credentials and be able to log on locally to exploit this
vulnerability.

Restart
Requirement

This
update requires a restart.

Bulletins Replaced
by This Update

None

Full
Details

http://technet.microsoft.com/security/bulletin/MS12-033

Bulletin
Identifier

Microsoft
Security Bulletin MS12-034

Bulletin Title

Combined Security
Update for Microsoft Office, Windows, .NET Framework, and Silverlight
(2681578)

Executive
Summary

This
security update resolves three publicly disclosed vulnerabilities and seven
privately reported vulnerabilities in Microsoft Office, Microsoft Windows,
the Microsoft .NET Framework, and Microsoft Silverlight. The most severe of
these vulnerabilities could allow remote code execution if a user opens a
specially crafted document or visits a malicious webpage that embeds TrueType
font files. The security update
addresses the most severe of these vulnerabilities by correcting the manner
in which affected components handle specially crafted TrueType font files and
by correcting the manner in which GDI+ validates specially crafted EMF record
types and specially crafted EMF images embedded within Microsoft Office
files.

Severity Ratings and
Affected Software

·        
This security update is rated Critical for all supported
releases of Microsoft Windows; for Microsoft .NET Framework 3.0 Service Pack
2, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4, except
when installed on Itanium-based editions of Microsoft Windows; and for
Microsoft Silverlight 4 and Microsoft Silverlight 5.

·        
This security update is rated Important for Microsoft Office
2003, Microsoft Office 2007, and Microsoft Office 2010.

Attack
Vectors

CVE-2011-3402
(TrueType font parsing vulnerability)

·        
In a web-based attack scenario, an attacker
could host a specially crafted website that is designed to exploit this
vulnerability and then convince a user to view the website.

·        
In a file sharing attack scenario, an
attacker could provide a specially crafted document file that is designed to
exploit this vulnerability, and then convince a user to open the document
file.

CVE-2012-0159
(TrueType font parsing vulnerability)

·        
In a web-based attack scenario, an attacker
could host a specially crafted website that is designed to exploit this
vulnerability and then convince a user to view the website.

·        
In a file sharing attack scenario, an
attacker could provide a specially crafted document file that is designed to
exploit this vulnerability, and then convince a user to open the document
file.

·        
In a local attack scenario, an attacker
could also exploit this vulnerability by running a specially crafted
application to take complete control over the affected system.

CVE-2012-0162
(.NET Framework buffer allocation vulnerability)

·        
Web browsing attack scenario: An attacker
could host a specially crafted website that contains a specially crafted XBAP
(XAML browser application) that could exploit this vulnerability and then
convince a user to view the website. The attacker could also take advantage
of compromised websites and websites that accept or host user-provided
content or advertisements. It could also be possible to display specially
crafted web content by using banner advertisements or by using other methods
to deliver web content to affected systems.

·        
Windows .NET applications attack scenario:
This vulnerability could also be used by Windows .NET applications to bypass
Code Access Security (CAS) restrictions.

CVE-2012-0164
(.NET Framework index comparison vulnerability)

·        
An unauthenticated attacker could send a
small number of specially crafted requests to an affected site, causing a
denial of service condition.

CVE-2012-0165
(GDI+ record type vulnerability)

·        
Web attack scenario: An attacker could host
a specially crafted web site that is designed to exploit this vulnerability
through Internet Explorer and then convince a user to view the website. This
can also include compromised websites and websites that accept or host
user-provided content or advertisements. These websites could contain
specially crafted content that could exploit this vulnerability. It could
also be possible to display specially crafted web content by using banner
advertisements or by using other methods to deliver web content to affected
systems.

·        
Email attack scenario: an attacker could
exploit the vulnerability by sending Outlook users a specially crafted email,
or by sending a specially crafted Office Document to the user and by
convincing the user to open the file or read the message.

·        
Attackers could also exploit this
vulnerability by hosting a malicious image on a network share and then convincing
a user to browse to the folder in Windows Explorer.

CVE-2012-0167
(GDI+ heap overflow vulnerability)

·        
This vulnerability requires that a user
open a specially crafted Office document with an affected version of
Microsoft Office.

·        
In an email attack scenario, an attacker
could exploit the vulnerability by sending a specially crafted Office file to
the user and by convincing the user to open the file.

·        
In a web-based attack scenario, an attacker
would have to host a website that contains a specially crafted Office
document that is used to attempt to exploit this vulnerability. In addition,
compromised websites and websites that accept or host user-provided content
could contain specially crafted content that could exploit this
vulnerability.

CVE-2012-0176
(Silverlight double-free vulnerability)

·        
An attacker could host a specially crafted
website that contains a specially crafted Silverlight application that could
exploit this vulnerability and then convince a user to view the website. The
attacker could also take advantage of compromised websites and websites that
accept or host user-provided content or advertisements. These websites could
contain specially crafted content that could exploit this vulnerability. It
could also be possible to display specially crafted web content by using
banner advertisements or by using other methods to deliver web content to
affected systems.

CVE-2012-0180
(Windows and messages vulnerability)

·        
An attacker would first have to log on to
the system, then run a specially crafted application that could exploit the
vulnerability and take complete control over the affected system.

CVE-2012-0181
(Keyboard layout file vulnerability)

·        
An attacker would first have to log on to
the system, then run a specially crafted application that could exploit the
vulnerability and take complete control over the affected system.

CVE-2012-1848
(Scrollbar calculation vulnerability)

·        
An attacker would first have to log on to
the system, then run a specially crafted application that could exploit the
vulnerability and take complete control over the affected system.

Mitigating Factors

CVE-2011-3402
(TrueType font parsing vulnerability) and CVE-2012-0159 (TrueType font
parsing vulnerability)

·        
In a web browsing attack scenario, an attacker would have no
way to force users to visit these websites. Instead, an attacker would have
to convince users to visit the website, typically by getting them to click a
link in an email message or Instant Messenger message that takes users to the
attacker’s website.

·        
By default, all supported versions of Microsoft Outlook,
Microsoft Outlook Express, and Windows Mail open HTML email messages in the
Restricted sites zone, which disables font download by default. If a user
clicks a link in an email message, the user could still be vulnerable to
exploitation of this vulnerability through the web-based attack scenario. The
vulnerability could also be exploited if a user opens an attachment that is
sent in an email message.

CVE-2012-0162 (.NET
Framework buffer allocation vulnerability)

·        
In a web browsing attack scenario, an attacker would have no
way to force users to visit these websites. Instead, an attacker would have
to convince users to visit the website, typically by getting them to click a
link in an email message or Instant Messenger message that takes users to the
attacker’s website.

·        
By default, Internet Explorer on Windows Server 2003, Windows
Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is
known as Enhanced Security Configuration. This mode mitigates this
vulnerability only on Windows Server 2008 and Windows Server 2008 R2, and
only in a web browsing attack scenario.

·        
On systems where MS11-044 has been applied, users will be
prompted before XBAP applications will execute when in the Internet Zone of
Internet Explorer. A user must click through this prompt in order to run the
XBAP application on their system.

CVE-2012-0165 (GDI+
record type vulnerability) and CVE-2012-0167 (GDI+ heap overflow
vulnerability)

·        
In a web browsing attack scenario, an attacker would have no
way to force users to visit these websites. Instead, an attacker would have
to convince users to visit the website, typically by getting them to click a
link in an email message or Instant Messenger message that takes users to the
attacker’s website.

·        
An attacker who successfully exploited this vulnerability
could gain the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

CVE-2012-0176
(Silverlight double-free vulnerability)

·        
In a web browsing attack scenario, an attacker would have no
way to force users to visit these websites. Instead, an attacker would have
to convince users to visit the website, typically by getting them to click a
link in an email message or Instant Messenger message that takes users to the
attacker’s website.

·        
By default, Internet Explorer on Windows Server 2003, Windows
Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is
known as Enhanced Security Configuration. This mode mitigates this
vulnerability only on Windows Server 2008 and Windows Server 2008 R2, and
only in a web browsing attack scenario.

·        
An attacker who successfully exploited this vulnerability could
gain the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

CVE-2012-0180
(Windows and messages vulnerability), CVE-2012-0181 (Keyboard layout file
vulnerability), and CVE-2012-1848 (Scrollbar calculation vulnerability)

·        
An attacker must have valid logon credentials and be able to
log on locally to exploit this vulnerability.

CVE-2012-0164 (.NET
Framework index comparison vulnerability)

·        
Microsoft has not identified any mitigating factors for this
vulnerability.

Restart
Requirement

This
update may require a restart.

Bulletins Replaced
by This Update

MS11-029, MS12-018,
and MS12-019.

Full
Details

http://technet.microsoft.com/security/bulletin/MS12-034

Bulletin
Identifier

Microsoft
Security Bulletin MS12-035

Bulletin Title

Vulnerabilities in
.NET Framework Could Allow Remote Code Execution (2693777)

Executive
Summary

This
security update resolves two privately reported vulnerabilities in the .NET
Framework. The vulnerabilities could allow remote code execution on a client
system if a user views a specially crafted webpage using a web browser that
can run XAML Browser Applications (XBAPs). The security update addresses the
vulnerabilities by correcting the manner in which the .NET Framework serialization
process handles trusted and untrusted data.

Severity Ratings and
Affected Software

This security update
is rated Critical for all supported editions of the Microsoft .NET Framework
on all supported editions of Microsoft Windows.

Attack
Vectors

·        
Web attack scenario: An attacker could host a specially
crafted website that contains a specially crafted XBAP (XAML browser
application) that could exploit this vulnerability and then convince a user
to view the website. The attacker could also take advantage of compromised
websites and websites that accept or host user-provided content or
advertisements. These websites could contain specially crafted content that
could exploit this vulnerability. In all cases, however, an attacker would
have no way to force users to visit these websites. Instead, an attacker
would have to convince users to visit the website, typically by getting them
to click a link in an email message or in an Instant Messenger message that
takes users to the attacker’s website. It could also be possible to display
specially crafted web content by using banner advertisements or by using
other methods to deliver web content to affected systems.

·        
Windows .NET applications attack scenario: This
vulnerability could also be used by Windows .NET applications to bypass Code
Access Security (CAS) restrictions.

Mitigating Factors

·        
In
a web browsing attack scenario, an attacker would have to convince users to
visit the website, typically by getting them to click a link in an email
message or Instant Messenger message that takes users to the attacker’s
website.

·        
By
default, Internet Explorer on Windows Server 2003, Windows Server 2008, and
Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced
Security Configuration. This mode mitigates this vulnerability only on
Windows Server 2008 and Windows Server 2008 R2, and only in a web browsing
attack scenario.

·        
For
CVE-2012-0160: Standard .NET Framework applications are not affected by this
vulnerability. Only specially crafted .NET Framework applications could
exploit this vulnerability.

Restart
Requirement

This
update may require a restart.

Bulletins Replaced
by This Update

MS11-044, MS11-078,
MS11-100, and MS12-016.

Full
Details

http://technet.microsoft.com/security/bulletin/MS12-035