Patch Tuesday April 2012 – Critical updates for Windows, Office and Adobe Reader

As I pack my bags to head off to BSides Austin, where Sophos is proudly sponsoring the t-shirts and WiFi for this year’s event, another Patch Tuesday is upon us.

This month Microsoft has released six patches, four critical, for eleven vulnerabilities in Office, Windows and various server products. SophosLabs has analyzed this month’s vulnerabilities and mostly agrees with Microsoft, but one of them rated important we consider a high risk vulnerability.

MS12-023 fixes several vulnerabilities in Internet Explorer (all supported versions). This is a high risk vulnerability considering that distributing threats over the web is a favorite tactic for cybercriminals. We will likely see exploits targeting these flaws in the not too distant future.

A flaw in Authenticode Signature Verification, the part of Windows that checks code for valid digital signatures was patched in MS12-024.

The bug allows signed binaries to be appended with potentially malicious content, but still appear to be validly signed. This type of bug could be exploited in a Stuxnet-like attack without the need to steal digital certificates to sign the bad code.

MS12-025 is a critical flaw in the .NET framework affecting both Windows clients and ASP.NET. Considering nearly all Windows computers have .NET installed you should apply this patch immediately for both servers and workstations.

Microsoft Forefront Unified Access Gateway, a fancy name for VPN services, needs patch MS12-026. This vulnerability assessed by SophosLabs as low risk could allow information disclosure.

The patch getting the most attention this month is MS12-027. Microsoft has reported this vulnerability being actively exploited in the wild before publication. The bug impacts users of Windows, Office and several Microsoft server products and allows a malicious website to run arbitrary code.

This type of bug is often referred to as “browse and own” and I would make this update priority one, considering it is already being used to compromise users.

And last, but not least is MS12-028. While Microsoft gives this flaw an important rating, SophosLabs disagrees classifying it as high risk. The flaw allows remote code execution if a user tries to open a maliciously crafted Microsoft Works file in Microsoft Office.

If you are unable to deploy this patch right away, I would configure your mail gateway to block attachments with a .wps extension. Unless of course you still use Microsoft Works (?).

Adobe, not wanting to feel left out, also delivered fixes for four vulnerabilities in Adobe Reader and Acrobat versions 9 and X.

All four vulnerabilities can lead to remote code execution, so I advise everyone be sure to update to Reader/Acrobat 10.1.3.