Microsoft will have a busy Patch Tuesday as it looks to fix six vulnerabilitiesfour of them rated “critical”in software ranging from Internet Explorer and Office to SQL Server, Windows 7 and the .NET Framework.
In a bulletin released April 5, Microsoft officials labeled the other two patches targeted for April 10 as “important,” the second most urgent rating after “critical.”
According to Marcus Carey, security researcher at security software vendor Rapid7, the scopeif not the numberof patches is significant.
“The Microsoft Security Bulletin Advance Notification for April 2012 contains six bulletins,” Carey wrote in an email. “The number of bulletins isn’t huge, but the potential harm is great. Of the six bulletins, there are four critical bulletins that touch all of Microsoft’s most popular offerings. All of the critical bulletins would result in remote code execution.”
Most security experts are focusing on Bulletins 1 and 4. Bulletin 1 deals with a fix to Internet Explorer, the most popular Web browser in the world. According to Microsoft, the security holes in IE could be used by hackers to launch remote code execution attacks. Users could be affected if they go to Websites that have malicious content built in.
Bulletin 4 is getting attention because of the number of Microsoft products its coversOffice, SQL Server, Microsoft Server software and Microsoft Developer Tools. Specifically, it will cover SQL Server 2000 through 2008 R2, Office 2003 through 2010 on Windows, Commerce Server 2002 through 2009 R2, BizTalk Server 2002, Visual FoxPro 8 and Visual Basic 6 Runtime, according to the software giant.
“Bulletin 4 is an interesting critical bulletin because it affects a diverse set of products,” Rapid7’s Carey wrote. “It looks like remote code execution on this one may be triggered by a malformed malicious file, so it may be primed for spear-phishing.”
One of the other critical updates addresses vulnerabilities in current versions of Windows. The patch will fix remote code execution issues. The other critical update addresses another remote code execution vulnerability in the .NET Framework.
Bulletins 5 and 6 are both labeled “important.” The first one is designed to patch an information disclosure vulnerability in Microsoft’s Forefront United Access Gateway that could open up a company to hacker reconnaissance when running the software on the Internet, which Carey pointed out “is embarrassing because it is a security product.”
Bulletin 6 is another patch to close a remote code execution vulnerability in Office.
“The takeaway until organizations are patched up next week, is watch where you are surfing on the Internet,” Carey wrote. “Use an alternative browser until Internet Explorer is patched. Also, be very careful about opening up Microsoft Office documents.”