Patch Tuesday closes critical Windows, Office and IE holes
As expected, on Tuesday 10 April Microsoft released six security bulletins that address a total of 11 vulnerabilities in its products, eight of which are considered to be critical. Four of the bulletins address critical holes in all supported versions of Windows, Internet Explorer (IE), the .NET Framework, Office and SQL Server, as well as Microsoft Server and Developer tools. All of these bugs could be exploited by attackers to remotely inject and execute malicious code on a victim's system via a specially crafted file.
One critical bulletin, MS12-024 notes a privately reported vulnerability which could allow attackers to modify existing signed executable files. Another, MS12-027, is an issue in Microsoft's common controls, used in numerous Microsoft applications, which can be exploited when a user visits a malicious site or opens an email attachment to allow remote code execution. An Internet Explorer bulletin, MS12-023, affects all supported versions of IE, closes 5 holes, one when printing a specially crafted HTML page and four when IE accesses deleted objects in various situations. The rating for these holes is either critical or moderate depending on the combination of operating system and IE version. Finally, MS12-025 closes a vulnerability in the .NET framework which allows attackers to "take complete control of an affected system".
The remaining two bulletins are rated as "Important" by Microsoft; they fix an additional remote code execution problem in Office and an information disclosure issue in Microsoft's Forefront United Access Gateway (UAG).
- Microsoft Security Bulletin Summary for April 2012, security advisory from Microsoft.