News

Microsoft's April Security Update Includes 4 'Critical' Fixes

April's security update arrived today, packing six bulletins for 11 flaws.  Four of the six fixes have been categorized as "critical" -- Microsoft's most severe level.Microsoft defines a critical security issue as "a vulnerability whose exploitation could allow the propagation of an Internet worm without user action."

That said, IT shops may want to prioritize bulletin MS12-027, as it secures a zero-day vulnerability in the Windows Common Control that could lead to a remote code execution attack if left unpatched.

"The 'deploy now' bulletin this month is MS12-027, a bulletin affecting the Windows Common Controls," explained Andrew Storms, director of security operations at security firm nCircle. "This component is included in so many Microsoft programs it affects almost every Microsoft user on the planet."

The affected programs include versions of Microsoft Office, SQL Server, Commerce Server and some Microsoft developer tools, such as Microsoft Visual FoxPro and the Visual Basic 6.0 runtime.

Along with affecting every version of Windows, this fix should be a high priority because, according to Storms, the vulnerability has already been seen in the wild by Microsoft. The attack works when a user visits a specially crafted Web site, which assists an attacker in accessing a system and remotely installing malicious code.

While Storms argued that bulletin MS12-027 should be the top concern in Microsoft's update, other security experts, including VMware's Data and Security Team Manager Jason Miller, are informing customers that bulletin MS12-023 --  a cumulative security update for Internet Explorer -- should be taken care of first. Miller is part of VMware after that company bought Shavlik Technologies in May.

"With any browser (Microsoft or non-Microsoft), patching is always on the top of the priority list as Internet browsers are one of the most targeted pieces of software for exploitation," said Miller in a blog post.

The fix, which targets IE versions 6, 7, 8 and 9, takes care of five privately reported issues that could lead to an attacker gaining the access rights of an unsuspecting user. Unlike the Windows Common Controls fix, the five IE vulnerabilities haven't been seen in the wild as of yet. However, Microsoft warns that successful attacks will likely appear in the next 30 days.

The third critical entry, bulletin MS12-024, takes care of a vulnerability in all versions of Windows that "could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system," according to Microsoft.

To block this from potentially being exploited, the bulletin will modify how the Windows Authenticode Signature Verification classifies a portable executable file for use. Also important to note is that this fix will need to be applied by those persons running the Windows 8 Consumer Preview, as well as the earlier released Windows 8 Developer Preview.

The fourth critical bulletin for the month solves a privately reported flaw in .NET Framework that could lead to a remote code execution attack if a specially crafted Web site is viewed using a browser that can run XAML Browser Applications (XBAPs). Bulletin MS12-025 affects .NET Framework versions running on Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2.

Finally, Microsoft's security update for April includes two "important" bulletins. The first important bulletin, MS12-026, fixes two holes in Forefront Unified Access Gateway that could lead to an information disclosure attack if an attacker sends a specially crafted query to the UAG server. The second important bulletin, MS12-028, takes care of yet another remote code execution flaw in Microsoft Office and Microsoft Works.

Along with Microsoft's monthly update, it is worth noting that Adobe has released its next security update for both its Acrobat and Reader products, which can be found here.

Microsoft's security updates may require a system restart after installation. More information can be found in Microsoft's Security Bulletin Summary for April 2012.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

  • The Future of Office 365 Pricing

    With a raft of new Office 365 features in the pipeline, Microsoft also seems ready to change the way it bills its subscribers. Will it replicate Azure's pay-per-use model, or will it look like something else entirely?

  • Microsoft Offers 1 Year of Free Windows 7 Extended Security Updates to E5 Licensees

    Microsoft is offering one year of free support under its Extended Security Updates program to Windows 7 users if their organizations have E5 licensing.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.