Microsoft on Tuesday fixed a critical vulnerability in a component of Office, SQL Server and other widely deployed applications that attackers already are using in targeted attacks. The flaw in the Microsoft Common Controls component, which was one of the 26 vulnerabilities fixed in nine bulletins issued today, can be exploited remotely and Microsoft said that attackers have been using malicious RTF files sent via email to take advantage of the bug.
The MS12-060 vulnerability is one of four critical bugs that the company fixed as part of the August Patch Tuesday release and it’s considered the most dangerous one at this point. Microsoft said that there are ongoing attacks against the flaw right now.
“The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website. The malicious file could be sent as an email attachment as well, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability,” Microsoft said in its advisory. (Read More)