Microsoft, Adobe and Google release fixes on Patch Tuesday

Microsoft released six bulletins to handle 11 vulnerabilities, including four critical fixes, on its April Patch Tuesday.

As revealed by SC Magazine, the patches cover flaws in all versions of Windows, Office and Internet Explorer. In keeping with Pete Voss, senior response communications manager at Microsoft Trustworthy Computing, the concern have to be given to patches MS12-027 and MS12-023, and he said that users running automatic updates could be automatically protected against the problems addressed this month.

Andrew Storms, director of security operations at nCircle, said: “It should be a blue moon this month, because Microsoft is shipping an IE security bulletin but, for the primary time in ages, it won't be at the top of the deployment priority list.

“The ‘deploy now' bulletin this month is MS12-027, a bulletin affecting the Windows Common Controls. This component is included in such a lot of Microsoft programs that it affects almost every Microsoft user in the world.

“It gets worse: Microsoft has already seen exploits for this vulnerability within the wild in limited attacks. IT security teams should prepare for an urgent but careful deployment. Because this bulletin affects such an intensive list of goods, security teams might want to spend overtime testing the patch before deploying.”

Wolfgang Kandek, CTO of Qualys, said organisations should focus most in their attention on MS12-027 as this affects an unusually wide variety of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and visible Basic 6 Runtime.

“Attackers has been embedding the exploit for the underlying vulnerability CVE-2012-0158 into an RTF document and enticing the objective into opening the file, mostly by attaching it to an email,” he said.

“Another possible vector is thru web browsing, however the component can potentially be attacked through any of the mentioned applications.”

Jason Miller, manager of analysis and development at VMware, said: “On a special front for this security bulletin, software developers might want to pay particular attention to the knowledge inside this bulletin.

“Any developer that has released an ActiveX control should review the tips for this security bulletin. These developers may wish to release updates to their very own software to make certain they aren't using a vulnerable file of their ActiveX control.”

The Internet Explorer patch contains four critical vulnerabilities and affects all versions of Microsoft's browser. Kandek said: “Attacks can exploit the vulnerabilities by organising a malicious webpage. MS12-023 has an Exploitability Index of one, meaning that Microsoft believes that an attack might be crafted in the next 30 days.

“By the manner, this update doesn't include the fix for the vulnerability found during last month's Pwn2Own contest at CanSecWest 2012, a good way to probably be fixed by another IE update next month. This month's IE update also brings an improved way of handling JavaScript self-XSS within the browser's address bar. Late last year there have been several Facebook scams that used that mechanism to plant undesired content on users' walls.” 

Tyler Reguly, technical manager of security research and development at nCircle, said: “IE got knocked out of its usual ‘most critical bulletin' spot this month at the Microsoft Security Research & Defense blog.

“Just because IE is knocked down a place, does not imply it is not still at the patch-quickly list. It has got to be depressing for Microsoft to patch another bug of their newest version of the browser because newer software versions are generally essentially the most secure.”

Other critical patches include MS12-024 and MS12-025 that address a flaw in Authenticode in Windows and a vulnerability in .NET's XBAP, the browser-based application module.

Kandek said: “The flaw in MS12-024 allows malware to affix a ride inside a valid software package and silently infiltrate the system because the user proceeds with the installation of the legitimate package.

“MS12-025 fixes a flaw in Microsoft's .NET XBAP mechanism that might allow an attacker to run arbitrary code at the machine. We typically associate XBAP as getting used for internal application delivery only.”

Also releasing patches today are Adobe, Google and Mozilla. Adobe is updating its Reader product to handle versions 9 and 10 with fixes for critical vulnerabilities.

“In a design change, Adobe Reader 9 is now using the system-provided Flash component, other than bringing its own. This decoupling will benefit security as it avoids the all-too-common situation where Adobe Reader's Flash gets out of sync with the newest updates. an analogous change for Adobe Reader X is inside the works,” said Kandek. 

Paul Henry, security and forensic analyst at Lumension, said: “Google released multiple patches for Chrome this Patch Tuesday period (to take it to version 18.0.1025.152). The most recent patch on 9 April addressed 12 security issues and followed the former patch released just eight days earlier. Mozilla added vulnerable Java plug-ins to its black list in efforts to guard users in its latest patch.”