April 2012 Patch Tuesday Overview
Microsoft has released six bulletins addressing 11 vulnerabilities in the April 2012 version of Patch Tuesday.
Marking the fourth Patch Tuesday of the year, Microsoft and non-Microsoft vendors are making this quite an interesting month with critical security bulletins and new products to consider in your monthly Patch Tuesday.
There are many products that are affected by the new security bulletins. This means you will be seeing quite a few patches missing on a single machine. For example, MS12-027 affects 29 different products and service pack levels. For those administrators responsible for reporting their patch compliance, this can be quite a headache.
As scheduled, Microsoft has released their bi-monthly update for Internet Explorer. With any browser (Microsoft or non-Microsoft), patching is always on the top of the priority list as Internet browsers are one of the most targeted pieces of software for exploitation. With Internet Explorer 10 (bundled with Windows 8), Microsoft is turning on automatic updates in the background. We will have to wait and see if Microsoft increases their patch releases for their browser like Google Chrome and Mozilla Firefox. Since the last time Microsoft has patched Internet Explorer (February 2012 Patch Tuesday), Google released new updates to their browser seven times. Five of these releases were security releases.
Speaking of browsing threats, MS12-027 is a bulletin that can be attacked via browsing. MS12-027 fixes one vulnerability that Microsoft has received limited attacks against. Browsing to a malicious website with Internet Explorer will result in remote code execution. An attacker could also try sending a RTF file with embedded malicious ActiveX controls. If the user opens the file on an unpatched system, the attacker can gain full access to the system. As Microsoft has already seen active exploits against this vulnerability and it contains a web browsing scenario, it will be critical to push this patch out to your desktop systems as soon as possible.
On a different front for this security bulletin, software developers will need to pay particular attention to the information inside of this bulletin. Any developer that has released an ActiveX control should review the information for this security bulletin. These developers may need to release updates to their own software to ensure they are not using a vulnerable file in their ActiveX control.
With this Patch Tuesday we are also seeing the first security bulletin affecting the Windows 8 Consumer Preview. Anyone using this operating system will want to apply MS12-024. It is good to see that Microsoft is not forgetting about their widely available (and used) preview operating system.
There are a few non-Microsoft vendors joining the Patch Tuesday security bulletin party with their own releases. Adobe is releasing updates for their Acrobat and Reader product lines during their own quarterly security bulletin update (APSB12-08). This security update addresses four vulnerabilities.
Google has released an update for their Chrome browser with version 18.0.1025.152. This latest version of the Google Chrome browser is a non-security update.
I will be talking about the April Patch Tuesday as well as any other non-Microsoft patches that have been recently released tomorrow, April 11th at 11:00am CT in part of our monthly Patch Tuesday webinar. Click here to register for the webinar.
- Jason Miller