This month Microsoft released a total of six new security bulletins, but one in particular deals with a zero-day vulnerability impacting virtually every Microsoft user, which is already being exploited in the wild.
Four of the six security bulletins are rated as Critical by Microsoft, with the remaining two ranked as Important. The Critical security bulletins include a fix for Windows and the .NET framework, as well as the perennial favorite the cumulative update for Internet Explorer. The biggest deal, though, is MS12-027, which addresses a critical flaw in Windows Common Controls.
One of the fixes is gaining the most attention though, even from Microsoft. "We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of the CVE-2012-0158 vulnerability using specially crafted Office documents as an exploit vector," said the firm in an apparently hastily written blog post.
The single vulnerability patched in MS12-027 is in an ActiveX control included with every 32-bit version of Office 2003, 2007 and 2010; Microsoft also called out SQL Server, Commerce Server, BizTalk Server, Visual FoxPro and Visual Basic as needing the patch.
Hackers are already using the vulnerability in malformed text documents, which when opened either in Word or WordPad the latter is a bare bones text editor bundled with every version of Windows, including Windows 7 can hijack a PC, Microsoft acknowledged in a post to its Security Research & Defense (SRD) blog today.