March 2012 Patch Tuesday Preview

Microsoft today released its Advanced Notification for March 2012 with a total of six bulletins that affect all versions of Windows and two Microsoft applications, Visual Studio and Expression Design.

Bulletin 1 will be the most important; it is critical rated Remote Code Execution (RCE) and is applicable in all versions of Windows from XP to the latest Win 7 and Server 2008R2. The other RCE vulnerability is in Bulletin 5, rated important, because opening a malicious file is required for Expression Design, an application competing with Adobe’s graphics tools.

Speaking of Adobe, they have released earlier this week a new version of their Flash player that addresses two vulnerabilities found by Google security engineers Fermin Serna and Tavis Ormandy. In this release they used for the first time their new "Priority" mechanism, which gives users some guidance regarding the urgency of applying patches – Priority 1 patches should be applied within 72 hours, Priority 2 within 30 days, and Priority 3 is left to the user. This particular Flash release is rated Priority 2 – fix within 30 days, but I would suggest fixing it as quickly as possible as detailed information will become available soon.

Google showed remarkable agility this week and released a new version of its Chrome browser, that addresses the vulnerability exploited on Tuesday at the Pwnium contest held at CanSecWest, where they rewarded security researcher Sergey Glazunov a prize of US$ 60,000.