Microsoft continued a trend of light security bulletins, offering six patches addressing 11 vulnerabilities in...
its April 2012 Patch Tuesday announcement. Though the overall number may be low, it is far-reaching; just about every Microsoft-supported operating system is affected by critical vulnerabilities, the company said.
Five of the six total bulletins address vulnerabilities that allow remote code execution.
Three bulletins directly address vulnerabilities in Windows Server and Windows desktop operating systems. One such bulletin, MS12-024, fixes an issue in the Windows Authenticode Signature Verification function where an application or user could run a portable executable file that could allow malicious remote execution. This patch can also be applied to the Windows 8 Consumer Preview.
Jason Miller, manager of research and development at VMware, said this is an important point of focus for server admins.
Because applications containing malicious code are signed, it might be easy to overlook and allow an attacker access a system, Miller added.
By exploiting this vulnerability, Microsoft said, "an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Similarly, MS12-025 addresses a vulnerability in the .NET Framework that could result in an attacker taking complete control of a system.
Miller said admins using IIS should pay particularly close attention to this patch. This only affects .NET Framework 4 and does not affect earlier versions, Microsoft officials said.
Bulletin MS12-023 is a security update for Internet Explorer, which patches five known gaps.
"Browsers on my network are the first thing that's going to get attacked," Miller said. He added that third-party browsers, like Google Chrome and Mozilla's Firefox, should also be regularly updated.
Internet Explorer 10 -- currently in Consumer Preview -- has an optional automatic update feature for security and general updates, but Miller said it's unclear if Microsoft will deploy updates rapidly instead of the bi-monthly format it regularly adopts.
He noted that a fix for a recent exploit discovered at Pwn2Own, a hacking contest held at the CanSecWest security conference, is not included in this month's patches. The earliest that it could be included in a bulletin is in June.
The last critical fix, MS12-027, is a remote code execution flaw that affects a wide variety of business applications, including Microsoft Office as well as Microsoft SQL Server.
Because the number of potential targets is large, Miller said "it's going to be exploited rather quickly by a lot of people."
Other bulletins dealt with a flaw in Forefront Unified Access Gateway that could lead to information disclosure and a vulnerability in Microsoft Works files.
Microsoft has a full rundown of April patches on its Security TechCenter.