Microsoft released six bulletins to address 11 vulnerabilities, including four critical fixes, on its April Patch Tuesday.
As revealed by SC Magazine, the patches cover flaws in all versions of Windows, Office and Internet Explorer. According to Pete Voss, senior response communications manager at Microsoft Trustworthy Computing, the priority should be given to patches MS12-027 and MS12-023, and he said that users running automatic updates will be automatically protected from the issues addressed this month.
Andrew Storms, director of security operations at nCircle, said: “It must be a blue moon this month, because Microsoft is shipping an IE security bulletin but, for the first time in a long time, it won't be on the top of the deployment priority list.
“The ‘deploy now' bulletin this month is MS12-027, a bulletin affecting the Windows Common Controls. This component is included in so many Microsoft programs that it affects almost every Microsoft user on the planet.
“It gets worse: Microsoft has already seen exploits for this vulnerability in the wild in limited attacks. IT security teams should get ready for an urgent but careful deployment. Because this bulletin affects such an extensive list of products, security teams will need to spend extra time testing the patch before deploying.”
Wolfgang Kandek, CTO of Qualys, said organisations should focus most of their attention on MS12-027 as this affects an unusually wide range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime.
“Attackers have been embedding the exploit for the underlying vulnerability CVE-2012-0158 into an RTF document and enticing the target into opening the file, most commonly by attaching it to an email,” he said.
“Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.”
Jason Miller, manager of research and development at VMware, said: “On a different front for this security bulletin, software developers will need to pay particular attention to the information inside this bulletin.
“Any developer that has released an ActiveX control should review the information for this security bulletin. These developers may need to release updates to their own software to ensure they are not using a vulnerable file in their ActiveX control.”
The Internet Explorer patch contains four critical vulnerabilities and affects all versions of Microsoft's browser. Kandek said: “Attacks can exploit the vulnerabilities by setting up a malicious webpage. MS12-023 has an Exploitability Index of 1, meaning that Microsoft believes that an attack can be crafted within the next 30 days.
Tyler Reguly, technical manager of security research and development at nCircle, said: “IE got knocked out of its usual ‘most critical bulletin' spot this month on the Microsoft Security Research & Defense blog.
“Just because IE is knocked down a spot, doesn't mean it's not still on the patch-quickly list. It's got to be depressing for Microsoft to patch another bug in their newest version of the browser because newer software versions are generally the most secure.”
Kandek said: “The flaw in MS12-024 allows malware to hitch a ride inside a legitimate software package and silently infiltrate the system as the user proceeds with the installation of the legitimate package.
“MS12-025 fixes a flaw in Microsoft's .NET XBAP mechanism that would allow an attacker to run arbitrary code on the machine. We typically associate XBAP as being used for internal application delivery only.”
Also releasing patches today are Adobe, Google and Mozilla. Adobe is updating its Reader product to address versions 9 and 10 with fixes for critical vulnerabilities.
“In a design change, Adobe Reader 9 is now using the system-provided Flash component, rather than bringing its own. This decoupling will benefit security because it avoids the all-too-common situation where Adobe Reader's Flash gets out of sync with the latest updates. A similar change for Adobe Reader X is in the works,” said Kandek.
Paul Henry, security and forensic analyst at Lumension, said: “Google released multiple patches for Chrome this Patch Tuesday period (to take it to version 18.0.1025.152). The latest patch on 9 April addressed 12 security issues and followed the previous patch released just eight days earlier. Mozilla added vulnerable Java plug-ins to its black list in efforts to protect users in its latest patch.”