Tuesday was quite a day for IT administrators-for the month of April, both Microsoft and Adobe released patch loads repairing a slew of critical flaws that could easily pave the way for users to become victims of malicious attacks.
For its April Patch Tuesday security bulletin, Microsoft released six updates repairing a total of 11 vulnerabilities. Of the patches released, four were given the highest severity rating of “critical,” indicating that the vulnerabilities could enable remote hackers to launch attacks, usually without requiring any user intervention. The remaining two were designated with the slightly less severe ranking of “important.”
Altogether, Microsoft issued addressed critical and important security issues in Internet Explorer, Windows, .Net framework, Forefront Unified Access Gateway, Windows Common Controls and Microsoft Office, and all of the patches may require a restart.
For users who absolutely need to prioritize the patches, Microsoft recommended first deploying the comprehensive update for its popular Web browser Internet Explorer. The patch plugs a total of five security holes, the most severe of which could enable remote code execution if an attacker lured victims to a malicious Web page or enticed them to open an infected link running on IE. As with all remote code execution vulnerabilities, attackers that successfully exploited the flaws could potentially launch denial-of-service attacks or take complete control of the affected system in order to steal personal and financial data and record keystrokes and logins.
Microsoft also recommended that users prioritize a critical update for Windows Common Controls, which repairs a privately reported vulnerability affecting Microsoft Office, SQL Server, Server Software and Developer Tools. As with many critical flaws, the security hole could unleash malicious code on users’ computers if they were to visit an infected Website, click on an infected link delivered over e-mail or Instant Messenger, or open an infected attachment, typically through some kind of social engineering scheme.
Meanwhile, along with its patch load, Microsoft gave users the early heads up that it planned on discontinuing support for Windows XP and Office 2003 by April 2014-giving users of legacy systems two whole years to plan upgrades and migrate to more recent versions. Many users stayed with XP, forgoing the migration to Vista known for its numerous compatibility and performance issues, before leapfrogging to Windows 7. However, over the years, the legacy XP has become the low hanging fruit as attackers have found more and more ways to exploit critical vulnerabilities in the aging operating system. The eventuality of discontinued support for both XP and Office 2003 could possibly be the impetus for users to upgrade to newer systems fortified with better security controls.
“We understand that preparing to deploy the latest versions of Windows and Office may take time for some organizations, and we encourage all customers to upgrade to the latest operating system to help protect your systems,” said Pete Voss, Microsoft senior response communications manager, in a blog post.
Meanwhile, congruent with Microsoft’s release, Adobe also issued its now regularly scheduled quarterly patch update. Specifically, Adobe released security updates for Reader X 10.1.2 and earlier versions for both the Windows and Mac platforms, and Reader 9.4.6 and earlier 9 versions for Linux, as well as updates for Acrobat version 10.1.2 and earlier for Windows and Mac.
Altogether, the updates repaired several memory corruption flaws and integer overflow errors, as well as a security bypass flaw and the malicious Flash Player vulnerability described in Security Bulletins APSB12-03, APSB12-05 and APSB12-07.
As with many Adobe flaws, the vulnerabilities opened the door for attackers to launch remote code execution attacks that could crash users’ machines or enable them to take control of the entire system to commit data and identity theft. As such, Adobe recommends that users install the updates as soon as possible in order to reduce security threats and the risk of attack.
Leave a reply
