Microsoft's April Patches Bring 64 Fixes
As expected from its Thursday preview, Microsoft has released 17 security bulletins that detail the patches for 64 vulnerabilities in various Microsoft products. For those wondering about their priorities, Microsoft has rated nine of these fixes as "critical" to deploy, while eight are deemed "important."
"This month the numbers tell their own story," said Andrew Storms director of security operations at nCircle. "Today's massive patch leaves me wondering if this is the kind of patch we are going to see more of in 2011."
Storms added that "choosing the patch that should receive top priority for IT security teams this month is tough," and that "it's a toss-up between the Internet Explorer and SMB [Server Message Block] patches."
Shoring up remote code execution attack risks appears to be the predominant theme in this April rollout. Microsoft's security update indicates that 15 of the 17 patches are designed to plug remote code execution vulnerabilities. The remaining two issues concern information disclosure and elevation-of-privilege threats to be plugged.
The first critical security bulletin contains a cumulative fix for Internet Explorer browsers. It addresses four privately reported vulnerabilities and one publicly disclosed flaw. This item touches every Microsoft-supported Windows operating system, covering IE 6, 7 and 8 browser versions.
The next two critical security bulletins deal with flaws in the SMB Protocol. The first fix addresses a security problem with client-initiated SMB requests, while the second addresses corrupt SMB packets that could be used to gain remote access of a windows system.
This month's patch also includes critical fixes for ActiveX kill-bit flaws, the .NET Framework and Windows Graphic Device Interface components. Microsoft also addressed critical fixes for networking, scripting and Web-link font vulnerabilities with critical bulletins on Windows Domain Name Services, JScript and VBScript scripting engines, and the OpenType Compact Font Format, respectively.
The seven important security bulletins span various issues affecting Windows and other Microsoft products, including Microsoft Office (Word, Excel and PowerPoint) and Microsoft development tools.
Additionally, a security bulletin addressing the disclosed vulnerability in the MHTML protocol handler in Microsoft Windows is finally being addressed in this update cycle.
The last important item in Microsoft's security update might be something that few Windows IT pros have seen. This one patch resolves 30 (not a typo) privately reported vulnerabilities in Windows kernel-mode drivers. Microsoft says that the vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. This one patch is the reason why there are 64 vulnerabilities in one month, a bug count unheard of until today.
All 17 fixes may require system restarts after they are applied.
As if the historic patch weren't enough, Microsoft also released two security advisories, making an "ugly" patch Tuesday seem that much more personal. First, there's KB2501584, which verifies binary file formats used in Office 2003 and Office 2007. The second one is KB2506014, which hardens the Windows operating system against kernel-mode rootkits, such as the pesky and pervasive Alureon rootkit that bristled up to Windows systems in 2010.
If there's any time left, IT pros can check out the newly released Microsoft Security Update Guide, which is designed to help make sense of all of these patches and evaluate threat risks.
There's also this Knowledge Base article for information about nonsecurity updates being pushed out via Windows Update, Microsoft Update and Windows Server Update Services.
Microsoft hatched a monster in April, and security experts were unsparing.
"All of this is further evidence that our methods of securing our systems still aren't up to par," said Paul Henry, security analyst at Lumension. "No matter how you look at it, it's an ugly Patch Tuesday this month."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.