The Microsoft Security Bulletin Advance Notification for April 2012 contains six bulletins. The number of bulletins isn’t huge but the potential harm is great. Of the six bulletins, there are four critical bulletins that touch all of Microsoft’s most popular offerings. All of the critical bulletins would result in remote code execution.
Bulletin 1 is a remote code execution for Microsoft Windows and Internet Explorer, indicating that users could be compromised by visiting websites with specially crafted malicious content. This has been a rough week for organizations and consumers who have been rushing to patch the Java related CVE-2012-0507.
Bulletin 2 is a critical update that patches remote code execution possibilities on all current Windows operating systems. This update will address a vulnerability associated with the core operating system and will require reboot, so organizations should schedule downtime on affected systems.
Bulletin 3 is another critical remote code execution vulnerability and affects all Windows operating systems running .NET Framework. This bug will affect organizations running .NET framework based applications and may require a restart.
Bulletin 4 is an interesting critical bulletin because it affects a diverse set of products, including Microsoft Office, Microsoft SQL Server, Microsoft Server Software, and Microsoft Developer Tools. It looks like remote code execution on this one may be triggered by a malformed malicious file, so it may be primed for spear phishing.
Bulletin 5 is categorized as important and related to an information disclosure vulnerability with Microsoft Forefront United Access Gateway. Attackers could possibly perform reconnaissance on an organization running the product on the Internet, which is embarrassing because it is a security product.
Bulletin 6 is labeled as important and is a Microsoft Office vulnerability that could result in remote code execution. Since it’s labeled as important, it would probably be limited to the permissions of the user that opens up a malicious document.
The take away until organizations are patched up next week, is watch where you are surfing on the Internet. Use an alternative browser until Internet Explorer is patched. Also, be very careful about opening up Microsoft Office documents.
After the Microsoft MAPP exploit proof-of-concept leak regarding MS12-020, I wouldn’t be surprised if Microsoft attempts to batten down the hatches on the amount of information they disclose prior to the monthly patch cycle. Based on that leaked proof-of-concept code, exploit developers were able to create a denial of service exploit. There hasn’t been any remote code execution on MS12-020 announced at this point.
Author: Marcus Carey, security researcher at Rapid7.