Microsoft's April Security Update Includes 4 'Critical' Fixes

April's security update arrived today, packing six bulletins for 11 flaws.  Four of the six fixes have been categorized as "critical" -- Microsoft's most severe level.Microsoft defines a critical security issue as "a vulnerability whose exploitation could allow the propagation of an Internet worm without user action."

That said, IT shops may want to prioritize bulletin MS12-027, as it secures a zero-day vulnerability in the Windows Common Control that could lead to a remote code execution attack if left unpatched.

"The 'deploy now' bulletin this month is MS12-027, a bulletin affecting the Windows Common Controls," explained Andrew Storms, director of security operations at security firm nCircle. "This component is included in so many Microsoft programs it affects almost every Microsoft user on the planet."

The affected programs include versions of Microsoft Office, SQL Server, Commerce Server and some Microsoft developer tools, such as Microsoft Visual FoxPro and the Visual Basic 6.0 runtime.

Along with affecting every version of Windows, this fix should be a high priority because, according to Storms, the vulnerability has already been seen in the wild by Microsoft. The attack works when a user visits a specially crafted Web site, which assists an attacker in accessing a system and remotely installing malicious code.

While Storms argued that bulletin MS12-027 should be the top concern in Microsoft's update, other security experts, including VMware's Data and Security Team Manager Jason Miller, are informing customers that bulletin MS12-023 --  a cumulative security update for Internet Explorer -- should be taken care of first. Miller is part of VMware after that company bought Shavlik Technologies in May.

"With any browser (Microsoft or non-Microsoft), patching is always on the top of the priority list as Internet browsers are one of the most targeted pieces of software for exploitation," said Miller in a blog post.

The fix, which targets IE versions 6, 7, 8 and 9, takes care of five privately reported issues that could lead to an attacker gaining the access rights of an unsuspecting user. Unlike the Windows Common Controls fix, the five IE vulnerabilities haven't been seen in the wild as of yet. However, Microsoft warns that successful attacks will likely appear in the next 30 days.

The third critical entry, bulletin MS12-024, takes care of a vulnerability in all versions of Windows that "could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system," according to Microsoft.

To block this from potentially being exploited, the bulletin will modify how the Windows Authenticode Signature Verification classifies a portable executable file for use. Also important to note is that this fix will need to be applied by those persons running the Windows 8 Consumer Preview, as well as the earlier released Windows 8 Developer Preview.

The fourth critical bulletin for the month solves a privately reported flaw in .NET Framework that could lead to a remote code execution attack if a specially crafted Web site is viewed using a browser that can run XAML Browser Applications (XBAPs). Bulletin MS12-025 affects .NET Framework versions running on Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2.

Finally, Microsoft's security update for April includes two "important" bulletins. The first important bulletin, MS12-026, fixes two holes in Forefront Unified Access Gateway that could lead to an information disclosure attack if an attacker sends a specially crafted query to the UAG server. The second important bulletin, MS12-028, takes care of yet another remote code execution flaw in Microsoft Office and Microsoft Works.

Along with Microsoft's monthly update, it is worth noting that Adobe has released its next security update for both its Acrobat and Reader products, which can be found here.

Microsoft's security updates may require a system restart after installation. More information can be found in Microsoft's Security Bulletin Summary for April 2012.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus