As always Microsoft has released a batch of patches on the second Tuesday of the month. This month you will find seven bulletins have been released, three of which are critical and four important.
The critical ones really are critical this time around. The first, MS12-036, reminds me of MS12-020 back in March which we feared would turn into an RDP worm. Fortunately it only resulted in denial of service, but MS12-036 may be the one we feared the last go around.
Microsoft have assigned this vulnerability an exploitability index of one, suggesting that it is possible to use it to get remote code execution reliably. Hopefully all of you have blocked internet access to RDP enabled servers in response to MS12-020.
MS12-037 is a critical fix with an exploitability index of one for Internet Explorer versions six through nine. Microsoft advises to apply this one as soon as possible. It also fixes one of the flaws discovered during this years Pwn2Own contest at CanSecWest 2012.
The last of the critical advisories, MS12-038, impacts the .NET framework component of most Windows systems. It affects an odd bunch of versions, but similar to the first two patches is critical and exploitability of one… Don’t ask twice, apply it now.
Other MS advisories fix flaws in Microsoft Dynamics, a couple of Windows kernel flaws and Microsoft Lync. An important rating may cause less urgency, but it would be prudent to apply them all where appropriate.
Adobe released fixes for Flash Player and Cold Fusion today. As usual get your latest Flash Player updates from http://get.adobe.com/flashplayer or configure Flash to automatically install updates (recommended).
Oracle and Apple have released updates for Java, bring the latest release Java 6 update 33 and Java 7 update 5. These fixes address 14 vulnerabilities in Java and can be obtained from Java.com or by checking for updates on OS X Snow Leopard (10.6) and Lion (10.7).
Patch now for a safer browsing experience, it won’t be long before these bugs are exploited by our adversaries.