Microsoft's May Patch Tuesday - What You Need to Know
As part of May's Patch released on Tuesday, May 8, Microsoft fixes 23 security flaws in all versions of Windows, Microsoft Office, Silverlight, and .NET Framework.
According to Microsoft's Security Bulletin Summary released on Tuesday, three of the seven bulletins were rated as "critical," while the other four were rated as "important."
Except for two bulletins, all others addressed remote code execution vulnerabilities. The bugs fixed in May's security patch are not actively targeted, at least not for now. Microsoft, however, said that exploit for them was likely.
Highest Priority Security Updates
The RTF Mismatch Vulnerability (MS12-029) should be seen as the highest priority for most organizations. The update patches a flaw in Rich Text Format files. The vulnerability can be exploited through Microsoft Office 2003 and 2007 to control an end user's machine. Simply viewing an attached file in Microsoft Outlook's preview pane can trigger the exploit, which will then take control of the end user's machine without requiring any user interaction.
Microsoft Office for Mac 2011 is also included in the list of affected programs. Mac users need to be aware of increasing security risks and pay attention to updates to protect their software, especially with all the recent hype involving infecting Macs. A recent attack exploited an old vulnerability in Microsoft Word for Mac.
Microsoft also focused on the True Type Fonts vulnerability, which was exploited late last year by the Duqu Malware. Microsoft fixed the vulnerability in December's Patch Tuesday update (MS11-087). The internal security team also identified other products, including .NET, Windows, Silverlight, and Office, which contained the vulnerable code, and fixed them in the MS12-034 update. Those applications had several other bug fixes pending, and MS12-034 is a set of patches with such bug fixes, therefore it is very important to be installed.
Excel, Visio Patches in Microsoft Office
Microsoft patched six bugs in Excel (MS12-030), including file format memory corruption, remote code execution vulnerabilities, and record heap overflow. It also fixed one bug in Visio (MS12-031). Both these Microsoft Office bulletins addressed file-format vulnerabilities, which could be exploited with a certain file. A successful infection could allow a cyber attacker to gain control over an end user's targeted machine.
Lastly, the XBAP patch is rated as "critical," but it seems this bulletin is the least urgent one to install. XBAP is a Microsoft browser-based application delivery format. In order to be exploited without any user interaction, the attacker should already be in the same Intranet zone as the target. According to security experts, administrators should completely disable XBAP if there is no specific business need. This way, it would be less likely for the issue to be targeted.
(reported by Alexandra Burlacu, edited by Dave Clark)