Microsoft Delivers Record April Patch

• By Jabulani Leffall
• 04/13/10

April marks another historic Patch Tuesday with 11 security bulletins being rolled out today by Microsoft.

Five of the security bulletins are deemed "critical," along with five "important" and one "moderate" adding to the mix. All told, Microsoft's April security update aims at fixing 25 vulnerabilities in Windows operating systems and some Microsoft applications.

"This is a much busier April than we've seen in the past," said Josh Abraham, security researcher at Rapid7. "We generally see five to eight updates, and 25 vulnerabilities beats 2009's April record of 21 vulnerabilities addressed. Had Microsoft not addressed the IE rollup with an out-of-band update last month, we would have been looking at 12 updates across 35 vulnerabilities."

Remote code execution (RCE) exploits continue to be the dominant risk to consider. Every critical patch and eight of the 11 security bulletins deal with RCE vulnerabilities. Rounding out the risk matrix for this month's slate are spoofing, elevation-of-privilege and denial-of-service vulnerabilities.

Critical Fixes
The first critical item deals with two privately reported bugs in Windows Authenticode Verification. Authenticode is a digital signature format in Windows operating systems and applications that is used to determine the origin and integrity of software binary code. The fix affects every supported version of Windows, including Windows 7.

"The critical Microsoft WinVerifyTrust signature validation vulnerability can be used to really enhance social engineering efforts," said Joshua Talbot, security intelligence manager at Symantec Security Response. "Targeted attacks are popular and since social engineering plays such a large role in them, plan on seeing exploits developed for this vulnerability."

Critical item No. 2 resolves long-standing vulnerabilities in the Server Message Block (SMB) of Windows. To be exact, Microsoft said this security update resolves "one publicly disclosed and several privately reported vulnerabilities in Microsoft Windows." According to the software giant, the vulnerabilities could allow RCE if "an attacker sent a specially crafted SMB response to a client-initiated SMB request." This fix addresses every Windows OS, including Windows 7.

Meanwhile critical item No. 3, which only touches Windows 2000 Server Service, is designed to take care of a privately disclosed hole in Windows Media Services.

The fourth critical item deals with streaming media components of Microsoft MPEG Layer-3 audio codecs. Microsoft's fix addresses every Windows OS except Windows 7 and Windows Server 2008.

The fifth and final critical item is a Windows Media player patch with RCE implications. Left unpatched, an exploit can be triggered if a user opens "specially crafted media content" hosted on a malicious Web site using the Windows Media Player program.

"More movies and more malware: that's what we've got to look forward to on the Internet," said Andrew Storms, director of security at nCircle. "[The Windows Media Player and Direct Show bugs] both lend themselves to online video malware. If you put these fixes together with Apple's recent patch of QuickTime, it's pretty obvious that attackers are finding a lot of victims through video."

Important and Moderate Fixes
The first important item affects every supported Windows OS. Specifically, it's a patch for the Windows kernel. Left unpatched, the vulnerabilities could allow elevation of privilege if "an attacker logged on locally and ran a specially crafted application."

The second important item resolves a previously described vulnerability in VBScript running on Windows that Microsoft had reported in early March. The fix addresses Microsoft Windows 2000, Windows XP and Windows Server 2003.

Important item No. 3 touches on Microsoft Office Publisher. Left unpatched, a vulnerability in the program could allow RCE if a user opens a specially crafted Publisher file. The fix addresses Publisher versions in Microsoft Office XP, Microsoft Office 2003 and 2007 Microsoft Office System.

Fourth in the important lineup is a fix for Microsoft Exchange and Windows Simple Mail Transfer Protocol (SMTP) Service. It addresses vulnerabilities that could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service, according to Microsoft.

The fifth and last fix among the important security bulletins resolves two privately reported vulnerabilities in Microsoft Office Visio. The patch covers Microsoft Office XP, Microsoft Office 2003 and 2007 Microsoft Office System.

Lastly, the lone moderate patch addresses Web server and network components. At issue here is the integrity of Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) packets. Of particular concern, according to Microsoft, is the manner in which "the Windows TCP/IP stack checks the source IPv6 address in a tunneled ISATAP packet."

All patches may require a restart.

Additionally, nonsecurity updates via Windows Update and Microsoft Update are available. IT pros can get the details by checking out this Knowledge Base article.

Adobe Systems also issued its security updates for Adobe Reader and Acrobat on April 13. Adobe programs are relevant for Windows enterprise pros because most of Adobe's products are installed and deployed on Windows operating systems. Also, more PDF documents are sent via Internet Explorer than via any other browser.