News

Microsoft's April Security Update Arrives with 'Critical' IE Fix

• By Chris Paoli
• 04/09/2013

This month's Microsoft security update, released today, features nine bulletins -- two rated "critical" and seven "important."

The top item of concern for IT pros should be a critical Internet Explorer security bulletin (MS13-028) targeted at two privately reported vulnerabilities. Left unpatched, the flaws could lead to a remote code execution (RCE) attack. This patch is a cumulative update, which includes fixes for Internet Explorer 6, 7, 8, 9 and 10 on Windows XP, Vista, Windows 7 and 8 and Windows RT. The vulnerability has an exploit index of 2, which, according to Microsoft, represents "exploit code [that] would be difficult to build." However, due to the widespread use of Internet Explorer, it's still recommended that this patch be the first bulletin updated, even though Microsoft has yet to see the two vulnerabilities being exploited in the wild.

Next to patch is critical item MS13-029, according to Wolfgang Kandek, CTO of security firm Qualys. It's another RCE fix for one vulnerability found in the Windows Remote Desktop Client.

"The second vulnerability to apply is MS13-029, which fixes a vulnerability in the Remote Desktop Client ActiveX control included in all Windows versions prior to Windows 8," said Kandek in a blog post. "While ActiveX controls can be included in most Windows programs, the most likely attack vector is through a Web browser."

Important Items
Microsoft rolled out seven important bulletins for IT pros to consider this month.

• MS13-030: Takes care of an information disclosure flaw in Microsoft SharePoint Server 2013.
• MS13-031: This bulletin addresses two privately reported flaws in the Windows kernel that could allow elevation of privilege on a system via a malicious application.
• MS13-032: This item fixes one privately reported issue in Active Directory. If gone unpatched, this flaw could lead to a denial of service attack if a malicious query is sent to the Lightweight Directory Access Protocol (LDAP) service.
• MS13-033: This Windows item fixes how the client handles objects in memory in Windows XP, Vista, Windows Server 2003 and Windows Server 2008.
• MS13-034: An elevation of privilege attack could be leveraged if a privately reported flaw in the Microsoft Antimalware Client goes unpatched.
• MS13-035: This Microsoft Office fix addresses an issue that could allow elevation of privilege if a malicious file is opened.
• MS13-036: The final item of the month takes care of four issues in the Windows kernel that could allow elevation of privilege if not addressed.

One Year Left of Windows XP Support
Dustin Childs of Microsoft's Trustworthy Computing group took this month's patch release as an opportunity to remind the public that official support, including for security-related issues, for Windows XP will end on April 8, 2014.

"Of course, Windows XP leaving support doesn't mean bad guys will stop trying to exploit it; however, the absence of new security updates will make it easier for attacks to succeed," said Childs. "We talk a lot about mitigating risks through our security updates, and with Windows XP retiring, the best mitigation will be to upgrade to a modern Windows operating system."

More information, including guides to migrate to Windows7 or 8, can be found at the Windows for your Business blog.