Windows common controls' vulnerability could allow remote code execution
Report ID: MS201208009
Date Published: 15 August 2012
Criticality: Critical
Compromise Type: remote-code-execution
Compromise From: remote
Affected Product/Component:
Microsoft Office 2003
Microsoft Office 2007
Microsoft Office 2010
Microsoft SQL Server 2000
Microsoft SQL Server 2005
Microsoft SQL Server 2008
Microsoft SQL Server 2008 R2
Microsoft Commence Server 2002
Microsoft Commence Server 2007
Microsoft Commence Server 2009
Microsoft Commence Server 2009 R2
Microsoft Host Integration Server 2004
Microsoft Visual FoxPro 8.0
Microsoft Visual FoxPro 9.0
Visual Basic 6.0 Runtime
Summary
A vulnerability that exists in Windows common controls could upon successful exploitation, allow an attacker to execute code and gain the same rights as a logged-on user.
Detailed Description
Microsoft has released a security update to address a vulnerability in Windows common controls, which resulted when ActiveX control corrupts the system state. An attacker could then take advantage of the condition in order to execute code and gain similar rights as a logged-on user.
This vulnerability has been addressed in the latest security update by disabling the vulnerable version of the Windows common controls, and replacing it with a non-vulnerable version. Users are recommended to get this latest update to protect their system from potential exploit attempts.
CVE Reference
CVE-2012-1856
Solution
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-060)
