As some readers will already be aware, “Patch Tuesday” is the label used by Microsoft to denote the company’s monthly release of remedial software updates designed to fix flaws which have been uncovered and/or exploited in the Windows operating system and its wider ecosystem of platforms and applications.
May 2012′s Patch Tuesday sees a busy set of seven ‘bulletins’ be released for public consumption. Three are classified as ‘critical’ and four as ‘important’ with a total of 23 vulnerabilities being highlighted.
The fixes themselves are channelled towards issues that have been highlighted within Microsoft Office, the Silverlight application framework for Internet apps, and the .NET programming platform.
Of note is the fact that bulletin #2 impacts all three of these technologies. Also of note is the fact that bulletin #1extends backwards to impact Office 2003 and Office 2007 editions with a ‘critical’ rating on Windows and an ‘important’ tag for Apple Max OS X users.
Patch updates can be brought into action on Windows machines using the Microsoft Update service or by using update management software. The MS12-029 #1 bulletin is said to be the highest priority at this time as this Microsoft Office vulnerability could be used to gain control of a user’s machine without requiring the user’s interaction. Reports suggest that simply viewing an attached file in the ‘preview’ pane of Outlook is sufficient to trigger an exploit based upon this flaw.
Microsoft says that an attacker who successfully exploited the vulnerability could gain the same user rights as the current user; but users whose accounts are configured to have fewer user rights on a networked system should be less impacted than users who operate with administrative user rights.
In line with Microsoft’s software fixes we now also see Adobe’s monthly patch release timed to coincide in synch — and Adobe’s May 2012 addresses five vulnerabilities in the company’s Shockwave player.
The release of these patch fixes does not necessarily mean that vulnerabilities have been widely exploited, or indeed exploited at all — although they do though exist as a call to both users and IT administrators to install the latest updates as soon as possible in order to lock down their data security.