Your Microsoft security update for April 2012

Microsoft released its April 2012 Security Bulletin a few minutes ago. As expected, this is a six-bulletin package addressing a total of 11 vulnerabilities. Per usual, I'm sharing the early analysis that's been dropped into my inbox...

Symantec:

“The WinVerifyTrust Signature Validation Vulnerability is interesting because it lets attackers modify signed Portable Executable files undetected,” said John Harrison, Group Product Manager, Symantec Security Response. “In addition, the attacker doesn’t need to worry about controlling memory; once the user runs the content, the device has been infected. The most common attack will probably be a scenario in which a site offers a free download of a specific program that appears to be legitimately signed.” 

“The most prominent vulnerabilities are in Internet Explorer, with 4 of the 5 patches marked as critical,” Harrison added. “Because the vulnerabilities could allow remote code execution, we recommend users patch as soon as possible.”

McAfee:

"The specific threats covered in all 4 'Critical' bulletins carry a potential impact of  Remote Code Execution” said Jim Walter, manager of the McAfee Threat Intelligence Service for McAfee Labs. “Add to this that so many popular products are among the affected, including Internet Explorer, Office, SQL Server, and the potential danger is increasingly apparent. IT administrators should take this into account when prioritizing patches.”

Walter adds:

“The Authenticode, IE and Windows Common Controls issues are particularly interesting.  These all highlight various 'trends' and 'common threat vectors:  web-based exploitation, compromised digital signatures, IM / Social Network-borne attacks, etc. In addition, Adobe has released updates for Adobe Acrobat and Adobe Reader, spanning multiple platforms.  4 CVEs are described in APSB12-08, all of which carry a potential impact of Remote Code Execution.  Given the popularity of the PDF format in targeted attacks (or any malicious file-based campaign for that matter) priority should be placed on this update as well.”

Qualys:

This month Microsoft issued six bulletins, four critical, two important, addressing 11 distinct vulnerabilities. Organizations should focus most of their attention on MS12-027. What makes this bulletin stand out is that Microsoft is aware of attacks in the wild against it and it affects an unsually wide-range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime. Attackers have been embedding the exploit for the underlying vulnerability CVE-2012-0158 into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail. Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.MS12-023, an update to Internet Explorer. It contains four critical vulnerabilities and affects all versions of Microsoft's browser. Attacks can exploit the vulnerabilities by setting up a malicious webpage. MS12-023 has an Exploitability Index of 1, meaning that Microsoft believes that an attack can be crafted within the next 30 days. By the way, this update does not include the fix for the vulnerability found during last month's PWN2OWN contest at CanSecWest 2012, which will probably be fixed by another IE update next month. This month's IE update also brings a more robust way of handling JavaScript self-XSS in the browser's address bar. Late last year there were several Facebook scams that used that mechanism to plant undesired content on user's walls.MS12-024 and MS12-025 are the remaining critical vulnerabilities and address a flaw in Authenticode in Windows and a vulnerability in .NET's XBAP, the browser based application module. The flaw in MS12-024 allows malware to hitch a ride inside a legitimate software package and silently infiltrate the system as the user proceeds with the installation of the legitimate package. MS12-025 fixes a flaw in Microsoft's .NET XBAP mechanism that would allow an attacker to run arbitrary code on the machine. Similar to the situation with Java we recommend turning off XBAP in the Internet zone of Internet Explorer, since we typically associate XBAP as being used for internal application delivery only. For details on how to roll out this type of change, see this blog post by Eric Law that shows how IE9 implements this restriction already in its default configuration.APSB12-08). The update addresses both Adobe Reader 9 and 10 and contains fixes for critical vulnerabilities. Adobe assigned a "Priority Rating" of "1" to the update, which recommends installation within the next three days.

Next is

Also today Adobe released an update to Adobe Reader (

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline