In its April security update, Microsoft released six security bulletins today, four of them critical and two important, to patch 11 flaws in Windows, Internet Explorer, Microsoft Office, SQL Server, Microsoft Developer Tools, and its virtual private networking platform. The security patch also includes fix for a bug that attackers are already exploiting. Such bugs or flaws are also called ‘Zero-day’ vulnerabilities.
According to Microsoft, a critical security issue is "a vulnerability whose exploitation could allow the propagation of an Internet worm without the user’s action."
The software giant also issued the first patch for Windows 8 Consumer Preview, the Beta-like build that was released by Microsoft at the end of February this year. Of all the patches released today, it was the MS12-027 update that got the most attention. Security experts and Microsoft, too, identified MS12-027 as the first update users should install.
"Things got a bit more interesting today," said Andrew Storms, director of security operations at nCircle Security, "because Microsoft is reporting limited attacks in the wild."
The single vulnerability patched in MS12-027 is in an ActiveX control that is a part of every 32-bit version of Microsoft Office 2003, 2007, and 2010. Microsoft also called out SQL Server, Commerce Server, BizTalk Server, Visual FoxPro, and Visual Basic as needing the patch.