April Patch Tuesday: Microsoft Previews Critical IE, Windows Fixes


Microsoft will repair critical vulnerabilities in Internet Explorer and Windows as part of its April round of security updates.

In its April 2013 Security Bulletin Advance Notification, the software giant said it would issue nine security bulletins, two of which are critical and fix both client- and server-side bugs throughout its product line.

A critical bulletin addresses remote-code execution vulnerabilities in Internet Explorer and affects IE 6, 7 and 8. There is no word on whether Microsoft will be repairing vulnerabilities exploited by participants of the CanSecWest HP-TippingPoint Pwn2Own contest. A second critical bulletin addresses a remote-code execution vulnerability in Windows XP.

[Related: 5 Factors Fueling Wave Of Java Attacks]

Security researchers exploited a vulnerability on a Microsoft Surface Pro tablet at CanSecWest using two Internet Explorer vulnerabilities, bypassing the sandbox restrictions on the device. The annual hacking contest was held last month in Vancouver, and researchers created exploits that bypassed two critical Windows defenses: address space layout randomization and data execution prevention.

In a first for Microsoft, the company will issue an important security update for Microsoft Office Web Apps 2010. The company is also issuing an update to Windows Defender 2010 for Windows 8 and Windows RT.

The company is also addressing flaws in its SharePoint server with two bulletins rated important. The flaws impact SharePoint 2010 and 2013. Microsoft Groove server is also impacted by one of the updates.

Alex Horan, a senior product manager at Boston-based CORE Security said the volume of patches this month is noteworthy and could result in delays. "This can allow critical vulnerabilities to be exploited while less significant concerns simply cloud the security picture," Horan said in a statement.

Microsoft recently issued a patch repairing a spoofing flaw in its Mail client for Surface tablets. During its March Patch Tuesday, the software maker fixed nine flaws in Internet Explorer. The security update included four critical bulletins, repairing 20 flaws in its products.

The update will be released Tuesday, April 9, at 1 p.m. EST.

PUBLISHED APRIL 4, 2013