Thursday, April 12, 2012

Patch Tuesday April 2012 - Critical updates for Windows, Office and Adobe Reader

I'm not seeing any negative feedback on the Patch Tuesday updates from this month, so go ahead and update.  Updates apply to both Microsoft Windows/Office and Adobe Reader/Acrobat 9/5 and 10.x.  ISC/SANS have rated most of the Microsoft patches as "Critical", which means they are either being exploited on a targeted basis or exploits are imminent.  The Bad Guys *_will_* be taking advantage of unpatched machines in the next few weeks.  The Krebs-on-Security entry below has the most user-friendly and descriptive write-up.  Links to the official Microsoft and Adobe security bulletins are below for the nerds among you.

Microsoft warns of 'limited, targeted attacks' against Windows vulnerability | ZDNet

By | April 10, 2012, 11:52am PDT

Summary: The vulnerability under attack exists in Windows Common Controls and can be exploited to launch remote code execution attacks if a user simply surfs to a malicious website.

Microsoft today shipped patches for at least 11 documented security vulnerabilities, including one that’s already being hit with “limited, targeted attacks.”

The vulnerability under attack — now fixed today with the MS12-027 bulletin — exists in Windows Common Controls and can be exploited to launch remote code execution attacks if a user simply surfs to a malicious website.

The vulnerability is caused when the MSCOMCTL.OCX ActiveX control, while being used in Internet Explorer, corrupts the system state in such a way as to allow an attacker to execute arbitrary code.

Microsoft is calling on Windows users to apply this bulletin as a priority because of the high-risk of code execution attacks.
Patch Tuesday April 2012 – Critical updates for Windows, Office and Adobe Reader | Naked Security
This month Microsoft has released six patches, four critical, for eleven vulnerabilities in Office, Windows and various server products. ...

Adobe, not wanting to feel left out, also delivered fixes for four vulnerabilities in Adobe Reader and Acrobat versions 9 and X.

All four vulnerabilities can lead to remote code execution, so I advise everyone be sure to update to Reader/Acrobat 10.1.3.

Adobe, Microsoft Issue Critical Updates — Krebs on Security
Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader.

Seven of the 11 bugs Microsoft fixed with today’s release earned its most serious “critical” rating, which Microsoft assigns to flaws that it believes attackers or malware could leverage to break into systems without any help from users. In its security bulletin summary for April 2012, Microsoft says it expects miscreants to quickly develop reliable exploits capable of leveraging at least four of the vulnerabilities.

Among those is an interesting weakness (MS12-024) in the way that Windows handles signed portable executable (PE) files. According to Symantec, this flaw is interesting because it lets attackers modify signed PE files undetected.

“In addition, the attacker doesn’t need to worry about controlling memory; once the user runs the content, the device has been infected,” wrote John Harrison, group product manager for Symantec Security Response. “The most common attack will probably be a scenario in which a site offers a free download of a specific program that appears to be legitimately signed.”

Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys, is particularly worried about MS12-027, because the weakness spans an unusually wide range of Microsoft products. Microsoft agrees, calling this patch the highest priority security update this month.

“What makes this bulletin stand out is that Microsoft is aware of attacks in the wild against it and it affects an unsually wide-range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime,” Kandek said. “Attackers have been embedding the exploit for the underlying vulnerability (CVE-2012-0158) into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail. Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.”

ISC Diary | Microsoft April 2012 Black Tuesday Update - Overview
Published: 2012-04-10,
Last Updated: 2012-04-11 01:57:49 UTC
by Swa Frantzen (Version: 1)
Overview of the April 2012 Microsoft patches and their status.
Adobe warns of Reader X security holes | ZDNet

By | April 11, 2012, 11:26am PDT

Summary: Adobe ships patches for flaws that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Adobe’s flagship PDF Reader/Acrobat software contains multiple security vulnerabilities that expose computer users to dangerous hacker attacks.

Adobe warned about the vulnerabilities in a security bulletin that contained patches for Windows, Mac OS X and Linux users.

Microsoft Security Bulletin Summary for March 2012
Adobe - Security Bulletins: APSB12-08 - Security updates available for Adobe Reader and Acrobat

No comments: