Internet Explorer 9.0.6 Now Available; Microsoft Patches Eight Critical Vulnerabilities

Microsoft released a April 10th patch tuesday -- which includes no less than six bulletins, and patches a total of eight Critical vulnerabilities, along with three other security breaches rendered Important."Today we released 6 security bulletins. Four have a maximum severity rating of Critical with the other two addressing Important class vulnerabilities," Jonathan Ness, MSRC […]

Microsoft released a April 10th patch tuesday -- which includes no less than six bulletins, and patches a total of eight Critical vulnerabilities, along with three other security breaches rendered Important.

"Today we released 6 security bulletins. Four have a maximum severity rating of Critical with the other two addressing Important class vulnerabilities," Jonathan Ness, MSRC Engineering, notes in a blog post.

The first bulletin in the update, MS12-023, is targeted at Internet Explorer and aims at resolving five flaws discovered in the application. "The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," Microsoft explains. "An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights," added Microsoft.

This security update is rated Critical for IE6, IE7, IE8, and IE9 on Windows clients and Moderate for IE6 /7/8/9 on Windows servers.

With this update IE9 updates to 9.0.6.

Microsoft also patched a privately reported vulnerability in Microsoft .NET Framework that could allow remote code execution "if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs)."

Microsoft notes that the MS12-027 update should be installed first, followed by MS12-023, MS12-024 and MS12-025. The MS12-028 and MS12-026 bulletins rated Important can be installed last.

As part of this software update, Microsoft also released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU), and the Download Center.

This release of MSRT include following three threat families - Win32/Claretore, Win32/Bocinex and Win32/Gamarue.

For more specific information on each of the security patches included in this update, you can read Microsoft's Security Bulletin Summary for April 2012.

For those who must prioritize deployment, Microsoft recommend focusing first on these Critical updates:

  • MS12-027 (Windows Common Controls): This security update resolves a CVE in the MSCOMCTL.OCX ActiveX control, which could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability.
  • MS12-023 (Internet Explorer): This security update resolves five CVEs in Internet Explorer, which could allow a third party to gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Below is the deployment priority guidance to further assist customers in their deployment planning:

April 10, 2012 Microsoft Security Bulletin deployment priority guidance

And, here is the risk and impact graph shows an aggregate view of this month's severity and exploitability index:

April 10, 2012 Microsoft risk and impact graph

In the video below, Yunsun Wee discusses this month's bulletins in further detail: