Microsoft Subnet An independent Microsoft community View more

Patch immediately if you use Internet Explorer or Word

Red alert Microsoft IE surfers, have you patched yet? You need to do so immediately. Enterprise needs to deploy stat before "browse and own" since attackers are exploiting the Active X flaw and malware writers are busy crafting malicious goodies for a PC near you soon.

Lurking underneath the six Microsoft April Cumulative Security Updates to patch 11 vulnerabilities in Windows and IE is a really dangerous vulnerability that you should patch immediately if not before. Neowin reported:

This security update resolves five privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user visits a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user.

According to Darknet, The Darkside, Microsoft would say "there have only been 'limited attacks'," but the Big M has been "hiding some more serious security issues under the carpet. Apparently attackers are already exploiting the MS12-027 flaw in ActiveX in the wild." There's more about the critical vulnerability that could allow remote code execution posted on the MS12-027 bulletin.

RELATED: Critical Patch Tuesday bulletin addresses Microsoft Office attack seen in the wild

Indeed Microsoft Security Research & Defense reported "limited, targeted attacks" in which hackers were exploiting this zero-day vulnerability in the wild. But as we've frequently seen with Adobe Reader flaws (yes, it needs updating too) if an attacker tricks a user into opening a document in your browser, it means pwnage: "browse and own." Gregg Keizer reported, "Hackers are already using the vulnerability in malformed text documents, which when opened either in Word or WordPad -- the latter is a bare bones text editor bundled with every version of Windows, including Windows 7 -- can hijack a PC."

Wham bam, in fact the "flaw patched by MS12-027 is a double threat." Install it first. According to Jason Miller, manager of research and development at VMware, "There are two attack scenarios. There's the malicious website [scenario] and then RTF documents, which are pretty common." And you can bet malware writers will be busy crafting malicious goodies for a computer near you soon.

MS12-024 patches a critical vulnerability in all supported versions of Windows, including the one for those of you using Windows 8 Consumer Preview. Qualys said "the bug in MS12-024 lets hackers hitch a ride inside legitimate software installation packages."

Microsoft was happy to announce, "In the US nearly 50% of Windows 7 users are experiencing the best the web has to offer with IE9." Still, not everyone is an IE fan and if you haven't deployed the patches yet, the bad news does not stop there. Darknet wrote, "And well if anyone is using Internet Exploder Explorer still - they are in trouble anyway. The scary part is, 8 out of the 11 issues patched with this update were marked as Critical and it effects IE9 - the latest version of the Microsoft browser."

Although Network World readers previously made it clear that patching Windows is a major time sink for IT departments, patch your OS, update your applications and third party add-ons as was advised in "Data, Data Everywhere. Not a Control to Waste!" That Windows Blog post stated, "The computers in your organization are only as secure as your least-patched system. I am sure that you are tired of hearing how important patching is. I remember how painful it was when I managed thousands of desktops and servers. That doesn't eliminate the fact that it's one of the most significant things that you can do to successfully reduce attacks on your clients and servers."

Last but not least in the Windows-is-giving-me-a-headache department, as Andy Patrizio reported, "it's the end of XP, Vista and Office Support as we know it" with the clock ticking down to "total extinction." Colin Neagle wrote that "when Microsoft stops supporting Windows XP," it could signal the "beginning of security nightmare" and "consumer, corporate and even SCADA systems" could be at risk. The Windows Team blog nudged customers to hurry up and switch since "Microsoft will officially end support for Windows XP and Office 2003 on April 8, 2014." According to an email from Microsoft PR, the analysis from industry-leading firm Gartner said that more than 50% of organizations that do not start deploying Windows 7 in early 2012 will not complete their deployments before Windows XP support ends, "and will suffer increased support costs."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the discussion
Be the first to comment on this article. Our Commenting Policies