Hello,

As you know, today is Update Tuesday. Before I go into the bulletin details, however, I wanted to let you know that today we’re notifying customers that Windows XP and Office 2003 will go out of support in April 2014. We understand that preparing to deploy the latest versions of Windows and Office may take time for some organizations, and we encourage all customers to upgrade to the latest operating system to help protect your systems.

Now, on to the updates. If you’re running Automatic Updates you’re automatically protected from the issues addressed this month, and for those of you who test and deploy your updates, we’ve offered some details and guidance below.

As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing six security bulletins, four of which are rated Critical in severity, and two Important.

These bulletins will increase protection by addressing 11 CVEs. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these Critical updates:

  • MS12-027 (Windows Common Controls): This security update resolves a CVE in the MSCOMCTL.OCX ActiveX control, which could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability.
  • MS12-023 (Internet Explorer): This security update resolves five CVEs in Internet Explorer, which could allow a third party to gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In the video below, Yunsun Wee discusses this month's bulletins in further detail.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Exploitability Index

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

Deployment Priority

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

Jonathan Ness from the MSRC will join me Wednesday for a webcast. Please tune in and learn more about the April security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, April 11, at 11 A.M. PDT. Click here to register.

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing