Security

It's Microsoft Patch Tuesday: April 2012

Justin James gathers the information you need to make the right deploy decisions when applying Microsoft's April 2012 patches in your organization.

One nice thing about the April 2012 set of patches is that it seems like the issue where opening files on network shares leads to remote code execution attacks has finally been taken care of. At the same time, we're hit with a problem affecting the Windows Common Controls used in a huge variety of products. That's going to be a lot of patching, unfortunately. There is also another vulnerability in XAML Browser Applications. At this point, I suggest that you disable them or restrict them to Intranet-only, because the security flaws around them seem to be approaching ActiveX-levels.

This blog post is also available in PDF format in a TechRepublic download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS12-023/KB2675157 - Critical (XP, Vista, W7)/Moderate (2003, 2008, 2008 R2): Five vulnerabilities in Internet Explorer 6 through IE9 are patched that can allow remote code execution attacks to be performed through Web pages. Install this patch immediately. MS12-024/KB2653956 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): A security flaw with the handling of portable execution (PE) files can allow remote code execution attacks to be performed through PE files. PE files are not common, but you should install this patch ASAP. MS12-025/KB2671605 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): The patch solves yet another remote code execution vulnerability in XAML Browser Applications (XBAPs). Install the patch immediately, and considering the number of security bugs in this otherwise rarely used technology, you may want to seriously consider blocking XBAPs completely. MS12-026/KB2663860 - Important (Microsoft Forefront Unified Access Gateway 2010): Microsoft Unified Access Gateway (UAG) has a pair of bugs, one of which allows attackers to get access through UAG that they should not have through a malicious query. Install this patch if you use UAG. MS12-027/KB2664258 - Critical (Office 2003, Office 2003 Web Components, Office 2007, Office 2010, SQL Server 2000 Analysis Services, SQL Server 2000, SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, BizTalk Server 2002, Commerce Server 2002, Commerce Server 2007, Commerce Server 2009, Commerce Server 2009 R2, Visual FoxPro 8.0, Visual FoxPro 9.0, VB 6 Runtime): The Windows Common Controls can be exploited by malicious Web pages to perform remote code execution attacks. All products that include these controls will need to be updated immediately. MS12-028/KB2639185 - Important (Office 2007, Works 9, Works 6 - 9 File Converter): Opening a malformed Works file can perform a remote code execution attack. Microsoft has rated this as "important," but if you use Works or Office 2007, you will want to install it as soon as you can, I think.

Other Updates

KB2524478 - Update for 2008 R2 and W7 to correct network connections changing from "Domain" to "Public." KB2679255 - Fixes an issue with SQL Server in Vista, W7, 2008, and 2008 R2.

"The Usual Suspects": Updates to the Malicious Software Removal Tool and the Junk Email Filter.

Changed, but not significantly: none.

Updates since the last Patch Tuesday

There were no security updates released out-of-band.

Minor items added or updated since the last Patch Tuesday:

KB931125 - Root certification update.

Changed, but not significantly:

KB976932 - Windows 7 SP1.

About

Justin James is the Lead Architect for Conigent.

7 comments
Who Am I Really
Who Am I Really

after installing, the system can't start going into safe mode brings up a dialog with something about: users\...\ does not exist uninstalling it solves the problem looking at the MS12-024 page, starter is excluded from the "applies to:" list yet it was offered and is still sitting in the system tray wanting to be installed looking in the updates log shows it as failed

sysop-dr
sysop-dr

The common controls library one surprises me on a few fronts, one that it doesn't seem to be in the set of patches I just installed even though there is a vb6 run-time on this system. I'm hoping this means our IT is testing the patches but they pushed all of the rest of them through already. So if someone made a VB6 app or Foxpro app and distributed it they will have to recompile and redistribute it right? The VB 6 run time seems to have the controls in it so I am hoping that will be patched on users machines by windows update. Is that really the case or will they have to get a new copy of the run-time manually from MS or from the app developers?

Slayer_
Slayer_

Those always cause us a lot of trouble. They usually decimate all our VBA and VB6 programs. We only just finished fixing the last one, that happened 2 years ago (listview again)

Mark W. Kaelin
Mark W. Kaelin

Are the Microsoft patches giving you trouble this month? Maybe your peers can help - describe the problems you are having.

Slayer_
Slayer_

Got office 2007, 2010, XP, Windows 7, VB6, visual studio 2003, 2005, 2010. I checked all my machines.

Justin James
Justin James

As long as the systems have the correct VB6 runtime installed, all of the VB6 applications will use it, even without a recompile, because they dynamically link to it. J.Ja

Editor's Picks