This article is more than 1 year old

ActiveX update stars in Patch Tuesday critical quintet

It's that time of the month again

Microsoft released five critical patches on Tuesday as part of its latest Patch Tuesday update. The release also included three bulletins over security flaws rated by Redmond as "important".

The worst of the quintet is a flaw in ActiveX. This update also includes a kill bit for the Yahoo! Music Jukebox product, the topic of a proof of concept exploit. Proof that the security bug can be misused makes it a higher risk than the other four critical updates.

The other updates include a cumulative update for Internet Explorer, as well as Office and Windows fixes. Vista is as affected by these critical bugs as XP. Windows Servers are less exposed to these updates, but still need patching.

Observers such as the SANS Institute's Internet Storm Centre (ISC) think Microsoft has underestimated the seriousness of its three important updates. The ISC reckons a flaw that leaves Windows DNS clients vulnerable to spoofing because of entropy in a random number generator is better thought of as critical.

It also considers an input validation vulnerability in the windows kernel that allows privilege escalation, and multiple input validation vulnerabilities in Visio that might allow code injection, to be worse risks than Redmond cares to acknowledge.

The Microsoft April Patch Tuesday summary can be found here. ISC's easier to understand Black Tuesday Overview is here.

In other patching news, Adobe pushed out a patch on Tuesday to addresses multiple vulnerabilities in Adobe Flash Player. Users are advised to update to version 9.0.124.0 of Adobe Flash to guard against potential code injection and cross site scripting risk.

Adobe's bulletin can be found here. Security notification firm Secunia has published a more readable overview here. ®

More about

TIP US OFF

Send us news


Other stories you might like