Microsoft Black Tuesday: Critical Windows, Office, and IE Updates

Microsoft has posted their April Patch Day security bulletins, which fix many serious flaws. If you run a Microsoft shop, it’s time to test and deploy these updates.

Microsoft’s April Security Bulletin summary, describes six security bulletins, which fix 11 vulnerabilities in many of their products. Affected products include:

  • Windows, and components that ship with it
  • Internet Explorer (IE)
  • The .NET Framework
  • Microsoft Office and other related products
    • Works
    • SQL Server
    • BizTalk Server
    • Commerce Server
    • Visual FoxPro
    • Visual Basic
  • Forefront Unified Access Gateway (UAG).

They rate four of these bulletins as Critical, which typically means remote attackers can exploit them to gain control of your affected computers.

April MS Patch Day Summary

In their summary post, Microsoft lists these bulletins in order of their severity. I typically agree with Microsoft severity classifications, and recommend you apply the updates in that order. However, there is one exception this month. According to Microsoft, attackers are exploiting the flaws from the fourth bulletin (MS12-027) in “limited targeted” attacks. For that reason, I believe that bulletin, along with the IE one, poses the most risk. I’d recommend applying the IE and “Common Controls” updates before the other Critical ones.

I’ll post more detailed alerts about most of these Microsoft bulletins shortly. However, I do not plan on posting an alert about the Forefront UAG bulletin. This product is similar to one we offer, so I suspect many of our customers don’t use it. That said, if you do use Microsoft Forefront UAG, you should refer to Microsoft’s bulletin (MS12-026) and apply the appropriate updates.

In semi-related news, Adobe shares the second Tuesday of the month as their official patch day. Today, Adobe also released a security update for Reader and Acrobat. I plan to post an alert about these Reader flaws after the Microsoft ones. If you’d like a head start on the Reader update, feel free to follow the link above now, for details. — Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

Trackbacks/Pingbacks

  1. WatchGuard Security Week in Review: Episode 13 | WatchGuard Security Center - April 13, 2012

    [...] MS April Patch Day summary - WatchGuard Security Center [...]

  2. WatchGuard Security Week in Review: Episode 13 « microreksa - April 15, 2012

    [...] MS April Patch Day summary - WatchGuard Security Center [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,374 other followers

%d bloggers like this: