Risk
4/12/2011
02:36 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft Pushes Giant Security Patch

The record number of security fixes is the result of a single security bulletin that addresses 30 Windows kernel flaws.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches

Microsoft on Tuesday issued its April security patch, setting a new record for the number of vulnerabilities repaired.

The company published 17 security bulletins addressing 64 vulnerabilities. Last month the load was considerably lighter: three security bulletins addressing four vulnerabilities.

The April patch breaks a record set in December 2010, when Microsoft released 17 security bulletins addressing 40 vulnerabilities. Previous records were set in October 2010, with 16 bulletins and 49 vulnerabilities, and in August 2010, with 14 bulletins and 34 vulnerabilities.

Nine of the 17 bulletins this month are designated critical; eight are designated important.

Jerry Bryant, Microsoft group manager of response communications, said in a phone briefing that the large number of vulnerabilities this month is largely due to bulletin MS11-034, which addresses 30 Windows kernel flaws. Despite the sheer number of vulnerabilities addressed by this bulletin, it is only rated important.

Bryant credited Tarjei Mandt, a security researcher with Norman ASA, for reporting the vulnerabilities and expressed gratitude to all the security researchers who are working with Microsoft to improve the security of its software.

Bryant also said that Microsoft's customers care more about quality than quantity. "Customers don't have to do quite as a much testing [when the patches are high-quality]," he said. "So the volume is not so much of an issue."

In addition to its security bulletins, Microsoft is also releasing two security advisories. The first (25065014), Bryant said, is a non-security, high-priority update for the winload.exe component in 64-bit version of Windows. The update prevents a driver signing enforcement mechanism from being abused, thereby preventing current generation rootkits from being able to hide on Windows systems, said Bryant.

The second security advisory (25015084) details how Microsoft is bringing its Office 2010 file validation system to Office 2007 and 2003. This will mitigate the risk posted by malicious Office files to users of older versions of Office.

Bryant said Microsoft is recommending that customers focus first on deploying three patches: MS11-018, MS11-019, and MS11-020.

MS11-018 is an update for Internet Explorer, version 6 through 8. It addresses five critical vulnerabilities, one of which has been used in a targeted attack. Internet Explorer 9 is not affected.

MS11-018 fixes the vulnerability that was used to compromise Internet Explorer 8 at the Pwn2Own hacking competition during the recent CanSecWest security conference in Vancouver, Canada.

MS11-019 covers two SMB Client vulnerabilities. One has been publicly disclosed, Bryant said, but Microsoft is not aware of any attacks exploiting from this vulnerability. The privately disclosed flaw, however, he considers to be more serious.

MS11-020 resolves a privately disclosed SMB server flaw. Bryant said this is perhaps the most critical of all the vulnerabilities this month. "Any system with an open SMB share would be vulnerable from anyone on the network," he said.

Tyler Reguly, technical manager of security research and development for nCircle, concured, noting in an emailed statement that MS11-020 is similar to MS08-067, the flaw exploited by the Conficker worm. Security researchers with other companies are saying much the same thing.

Microsoft also is shipping a patch for the widely reported MHTML vulnerability (MS11-026) in Windows. Microsoft previously offered a Fix-it script as a temporary means of addressing the issue.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-4350
Published: 2014-09-19
Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MIDI file.

CVE-2014-4376
Published: 2014-09-19
IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted API arguments.

CVE-2014-4390
Published: 2014-09-19
Bluetooth in Apple OS X before 10.9.5 does not properly validate API calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

Best of the Web
Dark Reading Radio