12345

5/09/2012

Microsoft Security Bulletin Summary for May 2012

1. Introduction

Microsoft(MS)'s regular security updates were released for April 2012.
Users who use MS OS strongly recommended update to be safe from Vulnerability in Microsoft Word Could Allow Remote Code Execution, Vulnerabilities in Microsoft Office Could Allow Remote Code Execution, Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution, Vulnerability in TCP/IP Could Allow Elevation of Privilege, Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege, Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight, and Vulnerabilities in .NET Framework Could Allow Remote Code Execution.



2. Update details

[Critical]
[MS12-029] Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352)

Vulnerability: RTF Mismatch Vulnerability- CVE-2012-0183

This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Microsoft Office 2003 SP3
- Microsoft Office 2007 SP2
- Microsoft Office 2007 SP 3
- Microsoft Office 2008 for Mac
- Microsoft Office 2008 for Mac 2011
- Microsoft Office Compatibility Pack SP2
- Microsoft Office Compatibility Pack SP3

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-029



[Important]
[MS12-030] Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2663830)

Vulnerability: Excel File Format Memory Corruption Vulnerability- CVE-2012-0141
Excel File Format Memory Corruption in OBJECTLINK Record Vulnerability- CVE-2012-0142
Excel Memory Corruption Using Various Modified Bytes Vulnerability- CVE-2012-0143
Excel SXLI Record Memory Corruption Vulnerability- CVE-2012-0184
Excel MergeCells Record Heap Overflow Vulnerability- CVE-2012-0185
Excel Series Record Parsing Type Mismatch Vulnerability- CVE-2012-1847

This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Microsoft Office 2003 SP3
- Microsoft Office 2007 SP2
- Microsoft Office 2007 SP3
- Microsoft Office 2010 (32-bit editions)
- Microsoft Office 2010 SP1 (32-bit editions)
- Microsoft Office 2010 (64-bit editions)
- Microsoft Office 2010 SP1 (64-bit editions)
- Microsoft Office 2008 for Mac
- Microsoft Office 2008 for Mac 2011
- Microsoft Excel Viewer
- Microsoft Office Compatibility Pack SP2
- Microsoft Office Compatibility Pack SP3

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-030



[Important]
[MS12-031] Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2597981)

Vulnerability: VSD File Format Memory Corruption Vulnerability- CVE-2012-0018

This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Microsoft Visio Viewer 2010 (32-bit editions)
- Microsoft Visio Viewer 2010 SP1(32-bit editions)
- Microsoft Visio Viewer 2010 (64-bit editions)
- Microsoft Visio Viewer 2010 SP1(64-bit editions)

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-031



[Important]
[MS12-032] Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338)

Vulnerability: Windows Firewall Bypass Vulnerability- CVE-2012-0174
TCP/IP Double Free Vulnerability- CVE-2012-0179

This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.

Affected Softwares

- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit
- Windows 7 for 32bit SP1
- Windows 7 for x64-based
- Windows 7 for x64-based SP1
- Windows Server 2008 R2 x64-based
- Windows Server 2008 R2 x64-based SP1
- Windows Server 2008 R2 Itanium-based
- Windows Server 2008 R2 Itanium-based SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-032



[Important]
[MS12-033] Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege (2690533)

Vulnerability: Plug and Play (PnP) Configuration Manager Vulnerability- CVE-2012-0178

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Affected Softwares

- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit
- Windows 7 for 32bit SP1
- Windows 7 for x64-based
- Windows 7 for x64-based SP1
- Windows Server 2008 R2 x64-based
- Windows Server 2008 R2 x64-based SP1
- Windows Server 2008 R2 Itanium-based
- Windows Server 2008 R2 Itanium-based SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-033



[Critical]
[MS12-034] Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352)

Vulnerability: RTF Mismatch Vulnerability- CVE-2012-0183

This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Microsoft Office 2003 SP3
- Microsoft Office 2007 SP2
- Microsoft Office 2007 SP 3
- Microsoft Office 2008 for Mac
- Microsoft Office 2008 for Mac 2011
- Microsoft Office Compatibility Pack SP2
- Microsoft Office Compatibility Pack SP3

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-034

5/08/2012

[Warning] Malicious file about portrait infringement


1. Information

INCA Internet response team detected malicious file which contains malicious file disguised as a portrait file from 04 May 2012. On April, various reports about this file can be found on internet so far, yet it can be found in Korea. Besides, this malicious file has various variants; we add patterns on our nProtect Anti-Virus. Containing EXE(ZIP)file on attachment of e-mail has great possibility to be revealed as a malicious file.



2. Real cases

[Sophos]
IMG0893.zip - Your photo all over Facebook? Naked? Malware campaign spammed out

[nProtect Response Team Official Blog]
[Caution] Malicious e-mail about BBB(Better Business Bureau)

Following image contains various malicious files. The title of e-mail is "FW:Why did you put this photo online?" (It may contain about portrait infringement)

To Korea May 4, 2012


To Germany May 8, 2012


To Korea again May 8, 2012


ZIP typed attachment is disguising as an image file, and it actually contains executable file.


User will be infected by malicious files after extracting and executing ZIP file.


After being infected, clone file of malicious file will be created on "All Users" path.


And it adds registry on following path and makes run on booting.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched c:\documents and settings\all users\svchost.exe


svchost.exe tries to access TCP/IP, yet it doesn't connect certain host.

3. Summary

Spreading malicious file with social engineering is one of traditional technique. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

5/03/2012

[Caution] Malicious e-mail about BBB(Better Business Bureau)


1. Information


INCA Internet response team detected malicious e-mail disguised as sent by BBB(Better Business Bureau). This is the first case of being found in Korea. The Better Business Bureau (BBB), founded in 1912, is a corporation consisting of a number of separately governed and incorporated local BBB organizations in the United States and Canada, affiliated with the Council of Better Business Bureaus (CBBB).
Besides, getting "satisfactory" from BBB on a company is boastful.



2. Spreading cases

- http://atlanta.bbb.org/article/its-back-fake-bbb-complaint-email-makes-rounds-in-2012-32038

[Caution] Malicious files disguising as sent logistics services companies 

Malicious e-mail is disguised sent by Better Business Bureau <info@bbb.org>. Its title and contents are also disguised as sent by BBB.


Attached "BBB Report.zip" contains "BBB report.exe", which is an executable file.


When executing "BBB report.exe", it creates its clone as a svchost.exe on "All Users folder".


And it adds registry on following path and makes run on booting.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched   c:\documents and settings\all users\svchost.exe



svchost.exe tries to access TCP/IP, yet it doesn't connect certain host.

3. Summary

Spreading malicious file with social engineering is one of traditional technique. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.