Microsoft patched 14 security vulnerabilities in its Patch Tuesday update on April 9, including critical bugs affecting Windows and Internet Explorer.
To address the vulnerabilities, Microsoft released a total of nine security bulletins this month, including two bulletins ranked “critical.” Both of the critical bulletins, which affect Internet Explorer and Windows Remote Desktop Client, address vulnerabilities that could be exploited to permit an attacker to remotely execute code. According to Microsoft, the issues covered by the two bulletins can be exploited if an attacker tricks a user into viewing a specially crafted Web page.
“Once again there is an IE patch (MS13-028) which is rated critical, but this one differs from last month’s incarnation by applying to all supported versions of IE (6-10) on the relevant platforms, including IE 10 on Windows 7 and 8,” Ross Barrett, senior manager of security engineering at Rapid7, said in a statement. “Due to the widespread use of IE and subsequently high degree of exposure for any group or individual using it, combined with the severity, this is where I would prioritize patching efforts.”
The other critical bulletin (MS13-029) should be the next priority for enterprises, he said.
“This issue is in the RDP ActiveX control and affects versions 6.1 and 7, but not 8,” he added. “However, RDP 8 is not yet the default on the affected platforms. This issue could be triggered through an RDP link in a browser or other content. A workaround would be to set the ‘kill-bit’ for these ActiveX controls, but the update actually fixes the issue, rather than disabling the RDP control.”
The remaining seven bulletins address vulnerabilities in Microsoft Office, Windows Defender, Microsoft Server Software and Windows. Five of the seven bulletins deal with privilege escalation issues, while the remaining bulletins address a denial-of-service vulnerability and an information disclosure issue.
“Of the remaining seven advisories, it’s hard to call what the top priority is, and the real risk will depend on your environment,” Barrett said. “I would lean toward saying that MS13-035, an elevation of privilege issue which affects Microsoft InfoPath, SharePoint and ‘Office Web Apps 2010’ would be the next biggest cause for concern. This is a cleanup of functionality in the ‘safe HTML’ component in these products.”
Microsoft did not address any of the issues exploited during the Pwn2Own contest at CanSecWest earlier this year. According to Dustin Childs, group manager of Microsoft Trustworthy Computing, Microsoft is not aware of any attacks exploiting the issues raised by the researchers at the contest.
“Microsoft works with the security community to protect our customers against all threats, and we are investigating possible issues identified by researchers during the Pwn2Own competition,” Childs said in a statement.
In addition to patching the vulnerabilities, Microsoft also reminded customers that it is ending support for Windows XP on April 8, 2014. This means that it will no longer be providing security updates for Windows XP.
Besides the Microsoft vulnerabilities, Adobe Systems issued an update for ColdFusion, Flash Player and Shockwave Player. According to Adobe, none of the bugs are currently being exploited in the wild.