Microsoft has posted their April Patch Day security bulletins, which fix many serious flaws. If you run a Microsoft shop, it’s time to test and deploy these updates.
Microsoft’s April Security Bulletin summary, describes six security bulletins, which fix 11 vulnerabilities in many of their products. Affected products include:
- Windows, and components that ship with it
- Internet Explorer (IE)
- The .NET Framework
- Microsoft Office and other related products
- SQL Server
- BizTalk Server
- Commerce Server
- Visual FoxPro
- Visual Basic
- Forefront Unified Access Gateway (UAG).
They rate four of these bulletins as Critical, which typically means remote attackers can exploit them to gain control of your affected computers.
In their summary post, Microsoft lists these bulletins in order of their severity. I typically agree with Microsoft severity classifications, and recommend you apply the updates in that order. However, there is one exception this month. According to Microsoft, attackers are exploiting the flaws from the fourth bulletin (MS12-027) in “limited targeted” attacks. For that reason, I believe that bulletin, along with the IE one, poses the most risk. I’d recommend applying the IE and “Common Controls” updates before the other Critical ones.
I’ll post more detailed alerts about most of these Microsoft bulletins shortly. However, I do not plan on posting an alert about the Forefront UAG bulletin. This product is similar to one we offer, so I suspect many of our customers don’t use it. That said, if you do use Microsoft Forefront UAG, you should refer to Microsoft’s bulletin (MS12-026) and apply the appropriate updates.
In semi-related news, Adobe shares the second Tuesday of the month as their official patch day. Today, Adobe also released a security update for Reader and Acrobat. I plan to post an alert about these Reader flaws after the Microsoft ones. If you’d like a head start on the Reader update, feel free to follow the link above now, for details. — Corey Nachreiner, CISSP (@SecAdept)