Microsoft is urging organisations to apply its April Patch Tuesday updates one of which addresses “limited, targeted attacks” that use maliciously crafted RTF files.
The “highest priority update” of nine separate flaws Microsoft addresses in its April update is a flaw in the Windows Common Controls ActiveX control that enables ActiveX-based attacks through rigged RTF documents that are opened in either Microsoft Word or WordPad.
The critical update (MS12-027) will prevent an attacker from exploiting that flaw, typically launched by tricking a user to visit a website.
“If a victim running Office 2007 or 2010 were to receive an exploit for CVE-2012-0158 over the internet or via email, the victim would need to click the Protected View's "Enable Editing" button before the malicious code,” Microsoft security engineer Elia Florio said in a blog post.
Microsoft has provided more information about its six other security bulletins here. It warns that reliable exploits for these are likely to appear in the next 30 days.
The updates address flaws in its Internet Explorer browser, Authenticode, .NET Framework, Office Works Converter and its Forefront Unified Access Gateway.
Adobe also released its security updates for four flaws in its often targeted document viewers, Adobe Reader and Acrobat products.
The updates address “critical” vulnerabilities in several versions of Adobe Reader and Acrobat for Windows, Macintosh and Linux systems.
Even though Adobe has not observed any attacks in the wild, it classed the flaws as critical in recognition of the frequency of attack that use flaws in these products, except Acrobat and Reader X, which offers a sandboxed "Protected View".
“Although there are no exploits in the wild targeting any of the vulnerabilities addressed in Adobe Reader 9.5.1, Adobe Reader 9.x continues to be a target for attackers, so, for users who cannot update to Adobe Reader X, we feel that urgently updating Adobe Reader 9.x remains a must to stay ahead of potential attacks,” Adobe’s Secure Software Engineering Team mention on its blog.
The company, which last week took a leaf from Google’s Chrome “silent” updates to improve Flash Player security, will now move to a patching cycle that more closely aligns to the “cadence” of Microsoft’s Patch Tuesday by canning its quarterly update cycle.
This means Adobe will continue its monthly Patch Tuesday release cycle, three day pre-notification for Reader and Acrobat security updates, and “out of cycle” patches in response to serious zero-day attacks.
“What we are discontinuing is the quarterly cadence and the pre-announcement of the next scheduled release date in the security bulletin for the previous release,” Adobe noted.