Today is the second Tuesday of April, and that means it’s Microsoft Patch Tuesday time. This month Microsoft released a total of six new security bulletins, but one in particular deals with a zero-day vulnerability impacting virtually every Microsoft user, which is already being exploited in the wild.
Four of the six security bulletins are rated as Critical by Microsoft, with the remaining two ranked as Important. The Critical security bulletins include a fix for Windows and the .NET framework, as well as the perennial favorite—the cumulative update for Internet Explorer. The biggest deal, though, is MS12-027, which addresses a critical flaw in Windows Common Controls.
Andrew Storms, director of security operations for nCircle, declares MS12-027 is the “deploy now” patch of the month. The Windows Common Controls are widely used throughout the Microsoft ecosystem, so there isn’t much that isn’t potentially impacted by this one.
Storms adds, “It gets worse: Microsoft has already seen exploits for this vulnerability in the wild in limited attacks.”
In a blog post, VMware’s Jason Miller explains that the MS12-027 flaw can be exploited by simply visiting a malicious website using Internet Explorer, or by opening a file attachment with an embedded malicious ActiveX control.
Miller agrees with Storms, and emphasizes, “As Microsoft has already seen active exploits against this vulnerability and it contains a Web browsing scenario, it will be critical to push this patch out to your desktop systems as soon as possible.”
Wolfgang Kandek, CTO of Qualys, also puts MS12-027 at the top of the priority list. Kandek cautions that not only are exploits already out there in the wild, but malware developers will likely target the vulnerability even more now that they can reverse-engineer the patch.
nCircle’s Tyler Reguly warns that the scope of this threat, and the work involved in patching affected applications may be overwhelming for some businesses. He stresses, “This bulletin is a great example of why developers should use shared libraries wherever possible. This should be a simple Windows patch but instead we're seeing every affected application patch the problem independently.”
Again, Miller concurs. He says that software developers are going to have to be diligent about reviewing the details of this bulletin and addressing any issues it may present for applications they have written.
Miller clarifies, “Any developer that has released an ActiveX control should review the information for this security bulletin. These developers may need to release updates to their own software to ensure they are not using a vulnerable file in their ActiveX control.”
With all of the attention on MS12-027, though, don’t lose sight of the fact that there are three other Critical security bulletins to address as well, and Important security bulletins shouldn’t be ignored. Review all of the security bulletins and prioritize them to deploy all of the applicable updates as quickly as possible.