Microsoft patches critical Windows zero-day bug that hackers are now exploiting
Fixes first security flaw in Windows 8 Consumer Preview
Computerworld - Microsoft today delivered six security updates to patch 11 vulnerabilities in Windows, Internet Explorer (IE), Office and several other products, including one bug that attackers are already exploiting.
The company also issued the first patch for Windows 8 Consumer Preview, the beta-like build Microsoft released at the end of February.
But it was MS12-027 that got the most attention today.
"Things got a bit more interesting today," said Andrew Storms, director of security operations at nCircle Security, "because Microsoft is reporting limited attacks in the wild."
Flaws that attackers exploit before a patch is available are called "zero-day" vulnerabilities.
The single vulnerability patched in MS12-027 is in an ActiveX control included with every 32-bit version of Office 2003, 2007 and 2010; Microsoft also called out SQL Server, Commerce Server, BizTalk Server, Visual FoxPro and Visual Basic as needing the patch.
Storms, other security experts and Microsoft, too, all identified MS12-027 as the first update users should install.
Hackers are already using the vulnerability in malformed text documents, which when opened either in Word or WordPad -- the latter is a bare bones text editor bundled with every version of Windows, including Windows 7 -- can hijack a PC, Microsoft acknowledged in a post to its Security Research & Defense (SRD) blog today.
"We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of [the] CVE-2012-0158 vulnerability using specially-crafted Office documents," said Elia Florio, an engineer with the Microsoft Security Response Center, in the SRD blog post.
Microsoft did not disclose when it first became aware of the attacks, or who reported the vulnerability to its security team.
Storms speculated that an individual or company had been attacked, uncovered the bug and notified Microsoft.
Microsoft rarely deploys a patch "out of cycle," meaning outside its usual second Tuesday of every month schedule. The last such update was shipped in December 2011, and was the first for that year.
Also affected is software written by third-party developers who have bundled the buggy ActiveX control with their code or called it. Those developers will have to provide their own updates to customers.
"Any developer that has released an ActiveX control should review the information for this security bulletin," said Jason Miller, manager of research and development at VMware. "These developers may need to release updates to their own software to ensure they are not using a vulnerable file in their ActiveX control."
Attackers can also exploit this bug using "drive-by download" attacks that automatically trigger the vulnerability when IE users browse to a malicious site, Microsoft admitted.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts