Security Advisor
April Patch Tuesday: Microsoft Releases 4 'Critical' Fixes
This month's Security Update includes a fix for a 0-day issue in Microsoft Office.
Microsoft's monthly security update arrived on schedule today with a total of 11 bulletins -- four rated "critical" and seven rated "important" -- that look to address issues in multiple Microsoft products including Windows, Internet Explorer and Office.
This month's top priority for IT should be bulletin MS15-033, a critical fix for Microsoft Office. This item takes care of a number of privately reported issues, with the most severe possibly leading to a remote-code-execution (RCE) attack if gone unpatched. All currently supported versions of Office are affected.
What makes this item so dire for IT is that one of the vulnerabilities (CVE-2015-1641) has been seen by Microsoft to be in limited use by attackers in the wild. According to the company, attacks have been pulled off by having users click on a malicious link in an e-mail. The link then prompts the user to download a harmful Microsoft Office file, which can lead to the attacker taking full control of a system.
The bulletin also looks to fix two additional issues in Office 2007 and 2010 that could lead to a RCE attack if users simply preview a harmful e-mail in the Outlook preview pane.
Next up is a cumulative security update for Internet Explorer. Typically this would have been designated the top patching priority for IT. However, due to the 0-day attached to the Office fix, this month's IE bulletin has been bumped down to the next spot.
Still, as with any fix related to Web browsers, bulletin MS15-032, should be applied once all proper testing has been concluded. The most severe of the issues is a memory corruption vulnerability for IE 6, 7, 8, 9, 10 and 11 that could lead to an RCE attack through a phishing campaign.
The third critical item of the month (bulletin MS15-034) takes care of one vulnerability in Windows that could lead to an RCE attack due to the nature of how the OS receives HTTP request. Commenting on the security hole, Qualys CTO Wolfgang Kandek said that the issue, while not in active exploitation, could lead to a real headache for IT once attackers crack open how to take advantage of it.
"The bulletin addresses vulnerability CVE-2015-1635 in the HTTP stack on Windows server 2008 and 2012, also affecting Windows 7 and 8," said Kandek. "An attacker can use the vulnerability to run code on your IIS webserver under the IIS user account. The attacker would then use an exploit for second local vulnerability (EoP) to escalate privilege, become administrator and install permanent exploit code."
Finishing up the critical bulletins for April is bulletin MS15-035, which fixes a single flaw in Windows Server 2003, Windows Server 2008, Windows Vista and Windows 7 and how these OSes render Enhanced Metafile (EMF) image files. An RCE attack could occur if an EMF file with hidden harmful code was downloaded through an e-mail or online message. Microsoft said the issue can also be resolved by disabling metafile processing in Windows.
The remaining seven items takes care of less severe "important" issues in Windows, .NET Framework and Windows Server Software. More information can be found on this month's Security Bulletin Summary page.
Along with this month's batch of security fixes, Microsoft has released Security Advisory 3045755, which alerts the incoming improvement of the Public Key Cryptography User-to-User (PKU2U) security support provider (SSP) in Windows 8, 8.1, RT and Windows Server 2012 R2. Set for release tomorrow, the update looks to modify how keys are authenticated.
"The update improves certain authentication scenarios for PKU2U," wrote Microsoft. "After applying this defense-in-depth update, PKU2U will no longer authenticate to a Windows Live ID (WLID) if an initial authentication attempt fails."