All told, the April Patch Tuesday update delivers six bulletins — four of which are rated as critical, including MS12-027.
MS12-027 is a critical vulnerability in Windows Common Controls. Qualys CTO Wolfgang Kandek explained to InternetNews.com that MS12-027 affects MSCOMCTL.OCX, which provides a number of common controls including graphics, buttons, etc.
“Many programs use it because of the comfortable functionality it brings and install a copy on the system when it is needed,” Kandek said. “With so many programs using it we think that many machines will be affected.”
Kandek noted that Microsoft packages are all mapped out to identify and fix the vulnerability, but third party applications will be the problem. In his view, any programs written in Visual Basic will install a copy and could potentially be at risk.
“We were surprised at the breadth of the vulnerability, but look at it as being similar to the DLL pre-loading attacks,” Kandek said. “Very generic and probably very widely spread.”
From Microsoft’s perspective, the core controls are used across multiple Microsoft applications including Office, SQL Server, BizTalk, Commerce Server, Visual FoxPro, and Visual Basic.
“The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability,” Microsoft’s advisory states. “The security update addresses the vulnerability by disabling the vulnerable version of the Windows common controls and replacing it with a new version that does not contain the vulnerability.”