News Stay informed about the latest enterprise technology news and product updates.

Patch Tuesday fixes issued for HTTP, Internet Explorer

Microsoft issued patches across 11 bulletins addressing 25 vulnerabilities for April's Patch Tuesday, and rolled out Skype for Business to Office 365 customers.

April's batch of Windows patches includes four critical updates that address remote execution vulnerabilities,...

including an HTTP.sys flaw.

The flaw, which could lead to remote code execution, is present in Windows Server 2008 through Windows Server 2012 R2.

The attack is an integer overflow vulnerability, an older style of attack, said Wolfgang Kandek, CTO of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif.

The attack "does not require authentication," said Amol Sarwate, vulnerability labs manager for Qualys. "If [Microsoft] IIS is facing the internet, this could prove to be very serious and organizations should patch ASAP."

On the desktop side, a cumulative update addresses 10 security flaws in Internet Explorer (IE), nine of which are memory corruption vulnerabilities and one that is an address space layout randomization  bypass vulnerability. The update is rated critical for all supported versions of IE on affected Windows clients and moderate for all supported versions of IE on affected Windows servers.

Another critical update addresses five issues in Microsoft Office, one of which deals with a Microsoft Outlook App for Mac XSS vulnerability. Three patches address component use after free vulnerabilities.  

This flaw could prove to be dangerous as the flaw can even exploit Outlook's preview pane functionality, Sarwate said.

Of the seven important updates, three address elevation of privilege vulnerabilities in Windows Task Scheduler for all supported released of Microsoft Windows, and two fix information disclosure flaws in AD FS and .NET Framework. One bulletin addresses an ASP.NET information disclosure vulnerability, and one addresses a Windows Hyper-V denial of service vulnerability for Windows 8.1 for x64-based Systems and Windows Server 2012 R2.

Microsoft also rolled out Skype for Business as an update for Office 2013. Lync Online services will automatically be updated to Skype for Business Online, and all customers are expected to be transitioned by the end of May, the company said in a blog post.  Current Lync Online admins or Lync Server customers can control when the update rolls out to users. Lync will be rebranded as Skype for Business, and Lync features like content sharing and telephony will be refined. 

Dig Deeper on Windows Server and Network Security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

So lync is going away and being replaced by Skype... Can't say I didn;t see that coming.
Cancel
They renamed it from Lync  to  Skype for Business includes  shipping new clients serves in office 365 and a summit will be held
Cancel
Is anyone really surprised by the Skype announcement? I'm surpried it took this long to be honest.
Cancel
I'd agree with that ToddN2000, agree whole heartedly.


Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close