Busy security patch month for Microsoft administrators

Microsoft has released six patches, four critical, for 11 vulnerabilities in Office, Windows and various server products in its April security update.

Microsoft has released six patches, including four which are critical, for 11 vulnerabilities in Office, Windows and various server products in its monthly Patch Tuesday security update for April.

MS12-023 fixes several vulnerabilities in Internet Explorer (all supported versions). This is a high risk vulnerability considering that distributing threats over the web is a favourite tactic for cybercriminals, wrote Chester Wisniewski, senior security advisor at Sophos Canada in a blog post. "We will likely see exploits targeting these flaws in the not too distant future," he said.

However, Wolfgang Kandek, CTO at Qualys points out that this update does not include the fix for the vulnerability found during last month's PWN2OWN contest at CanSecWest 2012, which will probably be fixed by another IE update next month.

This month's IE update also brings a more robust way of handling JavaScript self-XSS in the browser's address bar. Late last year there were several Facebook scams that used that mechanism to plant undesired content on user's walls.

MS12-024 patches a flaw in Authenticode Signature Verification, the part of Windows that checks code for valid digital signatures.  

"The bug allows signed binaries to be appended with potentially malicious content, but still appear to be validly signed. This type of bug could be exploited in a Stuxnet-like attack without the need to steal digital certificates to sign the bad code," said Wisniewski.

MS12-025 is a critical flaw in the .NET framework affecting both Windows clients and ASP.NET. "Considering nearly all Windows computers have .NET installed you should apply this patch immediately for both servers and workstations," said Wisniewski.

MS12-026 patches Microsoft Forefront Unified Access Gateway or VPN services. This vulnerability assessed by SophosLabs as low risk could allow information disclosure.

"The patch getting the most attention this month is MS12-027," wrote Wisniewski. Microsoft reported this vulnerability as being actively exploited in the wild before publication.

The bug affects an unsually wide-range of Microsoft products, including Office 2003 through to 2010 on Windows, SQL Server 2000 through to 2008 R2, BizTalk Server 2002, Commerce Server 2002 through to 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime. "This type of bug is often referred to as 'browse and own' and I would make this update priority one, considering it is already being used to compromise users," said Wisniewski.

Attackers have been embedding the exploit for the underlying vulnerability CVE-2012-0158 into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail, said Kandek.

Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications, he said.

Finally, MS12-028 patches a flaw that allows remote code execution if a user tries to open a maliciously crafted Microsoft Works file in Microsoft office.

"While Microsoft gives this flaw an important rating, SophosLabs disagrees classifying it as high risk," wrote Wisnifewski.

"If you are unable to deploy this patch right away, I would configure your mail gateway to block attachments with a .wps extension," he said.

Adobe, in its patch cycle that is now synchronised with Microsoft, delivered fixes for four vulnerabilities in Adobe Reader and Acrobat versions 9 and X (APSB12-08).

Adobe assigned a "Priority Rating" of "1" to the update, which recommends installation within the next three days. In a design change, Adobe Reader 9 is now using the system-provided Flash component, rather than bringing its own.

"This decoupling will benefit security because it avoids the all too common situation where Adobe Reader's Flash gets out of sync with the latest updates. A similar change for Adobe Reader X is in the works," said Kandek.

Wisniewski advises an immediate update to Reader/Acrobat 10.1.3 because all four vulnerabilities can lead to remote code execution.

Finally, Kandek notes that this month starts the 2 year countdown to obsolescence for Windows XP. In April of 2014 Microsoft will stop supporting XP. However, Windows XP still has an installed base of 35% worldwide with especially high rates of over 70% in some Asian countries.

"Organisations and end-users need to start planning for their migration to a more recent version of the OS before Microsoft stops issuing any more security updates," said Kandek.

Read more on IT risk management

Data Center
Data Management