April's batch of Windows patches includes four critical updates that address remote execution vulnerabilities,...
including an HTTP.sys flaw.
The flaw, which could lead to remote code execution, is present in Windows Server 2008 through Windows Server 2012 R2.
The attack is an integer overflow vulnerability, an older style of attack, said Wolfgang Kandek, CTO of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif.
The attack "does not require authentication," said Amol Sarwate, vulnerability labs manager for Qualys. "If [Microsoft] IIS is facing the internet, this could prove to be very serious and organizations should patch ASAP."
On the desktop side, a cumulative update addresses 10 security flaws in Internet Explorer (IE), nine of which are memory corruption vulnerabilities and one that is an address space layout randomization bypass vulnerability. The update is rated critical for all supported versions of IE on affected Windows clients and moderate for all supported versions of IE on affected Windows servers.
Another critical update addresses five issues in Microsoft Office, one of which deals with a Microsoft Outlook App for Mac XSS vulnerability. Three patches address component use after free vulnerabilities.
This flaw could prove to be dangerous as the flaw can even exploit Outlook's preview pane functionality, Sarwate said.
Of the seven important updates, three address elevation of privilege vulnerabilities in Windows Task Scheduler for all supported released of Microsoft Windows, and two fix information disclosure flaws in AD FS and .NET Framework. One bulletin addresses an ASP.NET information disclosure vulnerability, and one addresses a Windows Hyper-V denial of service vulnerability for Windows 8.1 for x64-based Systems and Windows Server 2012 R2.
Microsoft also rolled out Skype for Business as an update for Office 2013. Lync Online services will automatically be updated to Skype for Business Online, and all customers are expected to be transitioned by the end of May, the company said in a blog post. Current Lync Online admins or Lync Server customers can control when the update rolls out to users. Lync will be rebranded as Skype for Business, and Lync features like content sharing and telephony will be refined.