April 2011 Patch Tuesday Overview

Microsoft has released 17 new security bulletins for the April 2011 edition of Patch Tuesday.  These security bulletins address a record 64 vulnerabilities.  There are three bulletins that administrators should address immediately.

First, Microsoft is releasing their bi-monthly update for Internet Explorer.  MS11-018 fixes five vulnerabilities.  Two of the vulnerabilities addressed with this security bulletin fix zero-day vulnerabilities.  Just yesterday, Microsoft’s MSRC tweeted about reports of limited attacks on one of these zero-day vulnerabilities.  It is extremely important to patch as soon as possible, regardless of which browser you are running.  Web browsers are still, and will continue to be, one of the most common attack vectors.  The urgency to patch gets exponentially bigger when there are zero-day exploits actively being attacked against web browsers.  It is important to note, however, that the newly-released Internet Explorer 9 browser is not affected by this security bulletin.

The next bulletin that should be addressed immediately is MS11-020.  A vulnerability exists in Microsoft’s SMB Server on all supported Microsoft operating systems.  An attacker could send malicious network traffic to an unpatched system resulting in remote code execution.  This bulletin is particularly alarming as this vulnerability could be a potential “wormable” exploit.  The vulnerability can be exploited while unauthenticated.  In other words, an attacker only needs to get to an unpatched machine with no user interaction required for exploitation.  Keep a watchful eye on this vulnerability.  The last time we saw a major worm against a vulnerability such as this one was the Conficker virus, when the patch for the vulnerability was released in October of 2008.  It was four months until a major virus attacked the vulnerability.

The last bulletin that should be addressed immediately is MS11-019.  A vulnerability exists in the SMB client on the Windows operating system.  If a client system makes a connection to a malicious SMB server, an attacker could take complete control of the system.  With this vulnerability, user interaction is required.  An iFrame exploit that points a user to a malicious SMB server is an example of how this vulnerability could, and more than likely will, exploit the vulnerability.

MS11-026 addresses a vulnerability with MHTML.  This security bulletin closes out Security Advisory (2501696) released by Microsoft in January 2011.  There have been reports of this vulnerability being publicly exploited.  Microsoft did supply a workaround for the vulnerability that disabled MHTML functionality.  If the work around has been applied, it should be removed to return MHTML functionality back to end users.

One question that will undoubtedly come up this month is:  Why are there so many vulnerabilities being fixed this month?  One reason is that MS11-034 addresses 30 of the 64 vulnerabilities this month.  This bulletin covers three core vulnerabilities.  The remaining 27 vulnerabilities relate to the core vulnerabilities.

Also of note, Microsoft has also released two new security advisories this month.  Both advisories supply non-security updates that apply defense in depth to Microsoft software.  First, Microsoft released Security Advisory KB2501584.  This advisory introduces new functionality to Office 2003 and Office 2007.  This defense measure allows Microsoft Office the ability to pre-screen documents when opening the documents.  This will prevent some malicious documents from exploiting a machine.  This feature was originally introduced in Office 2010.  Microsoft has backported the functionality to older versions of the Office program.

The second Security Advisory (KB2506014) hardens the Windows operating system against kernel-mode rootkits.  This update will break the hiding mechanisms of rootkits such as Alureon.  With any update to the Windows kernel, the update should be tested thoroughly to ensure the patch does not adversely affect the operating system.

On the non-Microsoft front, Adobe released a new security advisory (APSA11-02) for Adobe Flash, Reader and Acrobat.  A vulnerability is being actively exploited in the wild for Adobe Flash.  There have been no reports of exploits against Adobe Reader and Acrobat to date.  Watch for an update to Adobe Flash coming very soon.  In addition, you can expect a quick update to the Google Chrome browser.  Google Chrome bundles Adobe Flash with the installation of the browser.  In the past, Google has coincided releases with Adobe for Flash vulnerability fixes.  Adobe is reporting the Adobe Reader X program prevents the exploit from executing, so they are waiting to release an update for that program until their next quarterly update scheduled for next June.

I will be going over the April 2011 patch Tuesday in depth with our monthly patch Tuesday webinar.  You can register to attend it here.

 – Jason Miller