Microsoft Smashes Patch Tuesday Record With Massive Update
All totaled, the company issued 17 bulletins to address 64 vulnerabilities, eclipsing the record it set when it plugged 49 security holes in October.
Nine of the 17 bulletins are rated ‘Critical,’ Microsoft’s highest designation. Of those, three -- MS11-020 (SMB Server), MS11-019 (SMB Client) and MS11-018 (Internet Explorer) -- have been named by the company as top priorities for customers.
The Internet Explorer (IE) bulletin fixes five vulnerabilities impacting IE 6, 7 and 8. IE 9 is unaffected. According to Microsoft, there have been reports of limited attacks targeting some of the vulnerabilities.
“Out of the IE vulnerabilities addressed this month, the object management memory corruption issue is one of the most critical,” said Joshua Talbot, intelligence manager with Symantec Security Response. “A reliable exploit for this vulnerability was developed at the ‘Pwn2Own’ contest [at the CanSecWest Applied Security Conference] last month.”
MS11-019 meanwhile fixes two vulnerabilities in Microsoft Windows that could enable remote code execution if an attacker sends a specially-crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server, Microsoft explained.
MS11-20 resolves a Windows bug that could allow an attacker to remotely execute code if they send a malicious SMB packet to a vulnerable system. Firewall best practices can help protect networks from attacks originating outside the enterprise, the company noted in its advisory.
“MS11-20 should be at the top of most organizations' list for remediation since it is based on a common server (SMB), is rated exploit likely by Microsoft and it does not require user authentication,” said Josh Abraham, security researcher at Rapid7. “This bulletin includes 1traction parsing vulnerability. This requires an attack to send a malicious crafted SMB packet against a vulnerable system including Windows XP SP3- Windows 7. Systems administrators should be watching the mailing lists for exploit for this bulletin.”
The remaining critical bulletins include updates for ActiveX Kill Bits, .NET Framework, Windows GDI+, Windows DNS resolution, OpenType Compact Font Format (CFF) driver and the JScript and VBScript scripting engines. The other eight bulletins are rated ‘Important.’
“As we've said time and time again, it truly takes a community to keep customers and the overall ecosystem free from threats,” blogged Pete Voss, senior response communications manager with Microsoft Trustworthy Computing. “Microsoft truly appreciates coordination with industry experts working together to keep customers protected. In total, 21 finders coordinated with Microsoft for the April release. Microsoft actively partners with the security community to assess threats and better protect customers, and April is an example of Coordinated Vulnerability Disclosure (CVD) at work.”
In addition to the patches, Microsoft announced the Office File Validation feature currently in Office 2010 is now available for Office 2003 and Office 2007 users. The feature is designed to help block malware disguised as Office documents. The company also issued an update for Windows Operating System Loader to help prevent rootkit evasion.