Microsoft Pushes Giant Security Patch

10 Massive Security Breaches

Microsoft on Tuesday issued its April security patch, setting a new record for the number of vulnerabilities repaired.

The company published 17 security bulletins addressing 64 vulnerabilities. Last month the load was considerably lighter: three security bulletins addressing four vulnerabilities.

The April patch breaks a record set in December 2010, when Microsoft released 17 security bulletins addressing 40 vulnerabilities. Previous records were set in October 2010, with 16 bulletins and 49 vulnerabilities, and in August 2010, with 14 bulletins and 34 vulnerabilities.

Nine of the 17 bulletins this month are designated critical; eight are designated important.

Jerry Bryant, Microsoft group manager of response communications, said in a phone briefing that the large number of vulnerabilities this month is largely due to bulletin MS11-034, which addresses 30 Windows kernel flaws. Despite the sheer number of vulnerabilities addressed by this bulletin, it is only rated important.

Bryant credited Tarjei Mandt, a security researcher with Norman ASA, for reporting the vulnerabilities and expressed gratitude to all the security researchers who are working with Microsoft to improve the security of its software.

Bryant also said that Microsoft's customers care more about quality than quantity. "Customers don't have to do quite as a much testing [when the patches are high-quality]," he said. "So the volume is not so much of an issue."

In addition to its security bulletins, Microsoft is also releasing two security advisories. The first (25065014), Bryant said, is a non-security, high-priority update for the winload.exe component in 64-bit version of Windows. The update prevents a driver signing enforcement mechanism from being abused, thereby preventing current generation rootkits from being able to hide on Windows systems, said Bryant.

The second security advisory (25015084) details how Microsoft is bringing its Office 2010 file validation system to Office 2007 and 2003. This will mitigate the risk posted by malicious Office files to users of older versions of Office.

Bryant said Microsoft is recommending that customers focus first on deploying three patches: MS11-018, MS11-019, and MS11-020.

MS11-018 is an update for Internet Explorer, version 6 through 8. It addresses five critical vulnerabilities, one of which has been used in a targeted attack. Internet Explorer 9 is not affected.

MS11-018 fixes the vulnerability that was used to compromise Internet Explorer 8 at the Pwn2Own hacking competition during the recent CanSecWest security conference in Vancouver, Canada.

MS11-019 covers two SMB Client vulnerabilities. One has been publicly disclosed, Bryant said, but Microsoft is not aware of any attacks exploiting from this vulnerability. The privately disclosed flaw, however, he considers to be more serious.

MS11-020 resolves a privately disclosed SMB server flaw. Bryant said this is perhaps the most critical of all the vulnerabilities this month. "Any system with an open SMB share would be vulnerable from anyone on the network," he said.

Tyler Reguly, technical manager of security research and development for nCircle, concured, noting in an emailed statement that MS11-020 is similar to MS08-067, the flaw exploited by the Conficker worm. Security researchers with other companies are saying much the same thing.

Microsoft also is shipping a patch for the widely reported MHTML vulnerability (MS11-026) in Windows. Microsoft previously offered a Fix-it script as a temporary means of addressing the issue.