Microsoft April 2011 security update is live

Microsoft released its April 2011 security update a few minutes ago, all of which can be found here.

The biggest fix of the bunch appears to be MS11-018, a bulletin for Windows Internet Explorer that addresses two security holes already used by attackers to hijack machines.

Microsoft says in that bulletin:

This security update resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients; and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers. Internet Explorer 9 is not affected by the vulnerabilities.

The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, content during certain processes, and script during certain processes.Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

As is usually the case on Patch Tuesday, security vendors are flooding media inboxes with their take on the flaws.

Here’s a bit from Qualys:

In April 2011 Microsoft is releasing 17 security bulletins fixing a total of 64 vulnerabilities. Nine bulletins are rated critical and eight bulletins are rated important. All Windows operating systems and all versions of Office are affected, so this is a full plate for system administrators of companies both large and small.

On the top of the priority list of Qualys’ vulnerability team is MS11-018, a bulletin for Windows Internet Explorer that addresses two vulnerabilities that are already being used used by attackers in the wild to gain control over machines. We recommend deploying this patch immediately.

Next on our list is MS11-020, a server side vulnerability in the SMB protocol. Attackers can send a specially crafted packet to a server running this file sharing service and take control of the machine. The exploitability index is a low “1”, meaning that attackers will have little difficulty in reverse engineering the exploit, once they have the patch for MS11-020 in hand. Companies that make SMB accessible over the Internet are especially at risk. However the main attack opportunity is going to be inside of enterprise networks, once an attacker has established a presence on the network, for example, through one of the more frequent client side vulnerabilities in browsers, browser plug-ins or applications.

MS11-019 is the third vulnerability that we rank as highly critical. It also affects the SMB protocol, but this time on the client side. This typical attack vector is an e-mail that contains a link to an external malicious file server. The client opens the file which responds with malicious content and then gains control over the client workstation.

MS11-021, MS11-022, MS11-023 are all vulnerabilities in the Microsoft Office Suite. Rodrigo Branco, Director of Vulnerability Research at Qualys who reported the Excel vulnerability fixed by MS11-021 to Microsoft in 2010, emphasizes that an attacker can relatively easily craft an Excel file that will trigger the flaw.

Here’s the McAfee view:

April’s Microsoft Patch Tuesday is the largest for 2011, with 17 security bulletins to address a massive 64 vulnerabilities. Of the patches, nine have been rated “critical” and eight as “important,” affecting all versions of Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework and the Graphics Device Interface (GDI+).

Also included in this month’s Patch Tuesday, was the MHTML bug that was disclosed back in January, which seemed to cause a stir among the media, but according to McAfee Labs Director of Security Research and Communication, Dave Marcus, “has not seen evidence that the impact of the MHTML vulnerability is more significant than other zero-day code execution vulnerabilities we’ve seen recently.”

“This month’s Patch Tuesday is not only a record for 2011, it’s a record-breaker for Microsoft, considering the December 2010 Patch Tuesday’s 17 patches only addressed 40 vulnerabilities,” said Marcus. “Sixty-four vulnerabilities is a very large amount, so organizations should be prepared.”

Also to note, that the CVE 2011-1345 vulnerability that was exploited that at the CanSecWest Pwn2Own hacking competition last month, was patched. This vulnerability in Microsoft Internet Explorer 8 on Windows 7 allows remote attackers to execute arbitrary code via unknown vectors.

“There has actually been limited field exploitation of the Pwn2Own (CVE 2011-1345) vulnerability reported,” said Marcus.

McAfee recommends that users install Microsoft’s patches as soon as possible. Home users should use Windows Automatic Updates.

And here’s the bulletin Symantec sent out:

Today, Microsoft issued 17 security bulletins which address 64 vulnerabilities. Thirteen of these vulnerabilities have been rated critical by Microsoft.

“With 64 vulnerabilities patched this month, Microsoft eclipsed the previous single month record of 49 set in October of last year,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Another record set this month is the number of vulnerabilities patched in a single bulletin, with 30 privilege escalation issues in Windows kernel-mode drivers being fixed in one fell swoop.”

“The most important patches this month are part of the cumulative security update for Internet Explorer,” Talbot added. “The majority of the vulnerabilities fixed affect IE 6, 7 and 8; this translates to an extremely wide install base of affected software. The fact they are also all drive-by download issues – where a user simply has to visit a compromised website for the vulnerability to be exploited – also increases their severity.”

“Out of the IE vulnerabilities addressed this month, the object management memory corruption issue is one of the most critical,” Talbot concluded. “A reliable exploit for this vulnerability was developed at the ‘Pwn2Own’ contest last month. We haven’t actually seen attacks exploiting this vulnerability in the wild yet, but it’s possible that exploit code will now be made more available. This would drastically increase the likelihood of attacks in the wild using this vulnerability.”

There you have it. Happy patching.

–Bill Brenner